[FFmpeg-devel] [PATCH 2/2] avformat/hls: .ts is always ok even if its a mov/mp4

Michael Niedermayer michael at niedermayer.cc
Thu Feb 6 01:51:55 EET 2025 

Hi

On Wed, Feb 05, 2025 at 07:41:39PM +0100, Michael Niedermayer wrote:
> Hi Kacper
> 
> On Tue, Feb 04, 2025 at 12:45:14PM +0100, Kacper Michajlow wrote:
> [...]
> > security benefits. I get it. Someone needed to hit their KPI by
> > submitting CVEs, and they found a marginally applicable case of a
> > highly unrealistic attack scenario.
> 
> I think you mis judge the (un)realism of this attack
> 
> prior to the patches, i can give you a m3u8 file and it will store
> any local file in the output video
> 
> This is not even just a matter of video streaming services,
> With a bit of social engeneering you can likely get people to
> do that.
> "Hey i found this odd file that encodes to different gibberish
>  on each machien, iam an artist, doing an art project, can you
>  just quickly reencode this and send me the mkv it generates ?"
> 
> Who would think that above will effectively give the attacker full
> access to your machiene. unless you run this in a sandbox that has
> no access to sensitve files

Ive tried to write an exploit for this and luckily it is not
that simple.

We can use data:// to feed both data and extension to force a demuxer
of our choice to be used

We can use crypto: to encrypt the extracted data so the user has no clue
what is extracted

And we dont need to have any probe succeed on the file we read.
The tty_extensions check also is not helping as it is not run on the target

I can read any file but only if it has a extension on the allowed_extensions
list or allowed_extensions is set to ALL.
This makes this luckily indeed difficult to exploit, i failed to find a
way to bypass this. But there are several close ones
concatdec uses data:// if we open it that way
file:// is subject to teh allowed_extensions check
other things like references in other demuxers i have not tried

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250206/cfd5cb09/attachment.sig>

More information about the ffmpeg-devel mailing list