Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely

Posted by timothy on from the which-point-in-the-stack dept.

prisoninmate writes: A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently by Russian programmer Maxim Andreev in the current stable builds of the software. It appears to let anyone with the necessary skills hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. Arch Linux devs already rebuilt their FFmpeg packages without the AppleHTTP and HLS demuxers.

72 comments

  1. why so hung up about arch? by Anonymous Coward · · Score: -1

    gentoo doesn't have these "features" either.

    1. Re: why so hung up about arch? by Anonymous Coward · · Score: 3, Insightful

      Don't gentoo users choose their own build settings / features by default? What do you want the article to say? "Most gentoo users probably have the problem fixed by themselves already too but we don't really know?"

    2. Re: why so hung up about arch? by Anonymous Coward · · Score: 0

      FWIW, so does arch. either distro can also use binaries.

    3. Re: why so hung up about arch? by Anonymous Coward · · Score: 0

      Oh, I thought most gentoo users build everything except maybe a few special packages themselves? While Arch is kind of the other way around?

    4. Re:why so hung up about arch? by WarJolt · · Score: 1

      Neither does Ubuntu, since everyone uses libav instead.

    5. Re: why so hung up about arch? by behrooz0az · · Score: 1

      You thought correctly.
      Arch users can choose to build packages themselves using AUR that has multiple GUI/CLI frontends like yaourt or pacmanxg. but it's not a mess like debain apt-build and actually integrates well with the standard pacman system.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    6. Re: why so hung up about arch? by Anonymous Coward · · Score: 0

      About the only thing I didn't build when I reinstalled my gentoo install last time was open office.

    7. Re:why so hung up about arch? by dryeo · · Score: 1

      Libav seems to be reacting to this as well with a quick fix to blacklist HTTP in HLS. Whether the same vulnerability or a different one I don't know.
      https://lists.libav.org/piperm...

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    8. Re:why so hung up about arch? by Anonymous Coward · · Score: 0

      My reaction to the libav vs. ffmpeg split was to stay loyal to ffmpeg. My impression: the guy who is* still managing ffmpeg was the talented/dedicated one who was doing all the work.

      *Correction: "was"... It appears that Michael Niedermayer has resigned? Source: http://www.theregister.co.uk/2015/08/05/ffmpeg_leader_steps_down/

      His comment on one of the blog posts:
      "And yes ive surely contributed less in the months prior to the fork than i did years before. That was to a some extend due to some people fillibustering my work wherever they could and thus making it quite non-fun. The libmpcodecs case is an example. These people left now to libav with several other people that i would really have preferred if they did not leave, but when they are happier there it cant be a bad thing. i just have my doubts about their long term happyness. But time will tell that.
      And i want to use this opertunity to say, that you kostya are always welcome to return to ffmpeg, if you want with your own tree, branch or fork where you are the final boss."
      Source:
      http://codecs.multimedia.cx/?p=339

      Meanwhile "Felipe" sounds like a douche/divisive drama-magnet.

      So way to go libav team! You drove away the person who was holding the project together. Now your disfunctional knitting circle can circle-jerk each other while zero day exploits ravage the project's users/linux community/open source community.

    9. Re:why so hung up about arch? by Tighe_L · · Score: 1

      By default Gentoo doesn't use FFMPEG, but the craptastic fork avlib. I wish that the developers of avlib many ills for ruining everything with their dman fork.

    10. Re:why so hung up about arch? by Anonymous Coward · · Score: 0

      Meanwhile "Felipe" sounds like a douche/divisive drama-magnet.

      Sounds like Felipe Contreras?
      yesss :D

    11. Re: why so hung up about arch? by DanZ23 · · Score: 1

      Right? With all these cores, world compiles quickly.

    12. Re:why so hung up about arch? by dryeo · · Score: 1

      While Michael did resign as official leader, he is still very involved and seems to be defacto leader.
      Watching the split was like watching a couple where you're friends with both going through a messy breakup. You can see both sides but don't want to take sides as they both have a point. In FFmpeg vs libav, it was mostly a conflict about the workflow. It was kind of disgusting how the (future) libav developers handled things, namely trying to hijack FFmpeg during the move to git.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
  2. Very wide impact. by Anonymous+Psychopath · · Score: 5, Informative

    Ffmpeg is used in some capacity in just about every video application I can think of. VLC, Kodi/XBMC, MythTV, Handbrake, Plex...

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

    1. Re:Very wide impact. by QuantumReality · · Score: 2

      And in Google Chrome, because i compiled it myself for Chromium

    2. Re:Very wide impact. by Anonymous Coward · · Score: 1

      Even worse, Firefox can use FFMPEG for playing HTML5 Video.

      I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

    3. Re:Very wide impact. by dissy · · Score: 4, Informative

      I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

      The article suggests a mitigation, however it sounds like it may just be easier to remove the package until your upstream provides updates...

      James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.
      It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.

      A commenter in the arch bug report listing also says:

      Btw, one could also do --disable-demuxer='hls,applehttp', but rebuilding without network support looks like a more robust solution for now (until the issue is inspected and fixed upstream).

      https://bugs.archlinux.org/tas...

      My understanding is the specific bug reported in russian is exploited via HLS, however it is unconfirmed if the same method could be used and exploited in other network stream demuxers yet.

    4. Re:Very wide impact. by fluffernutter · · Score: 4, Interesting

      But the question is, how easy is it to end up playing a 'specially crafted file' if you're playing video in VLC or Kodi? I mean, understood that any website could have an ad video that plays and opens up this connection but what is the reality of the risk for standalone players?

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    5. Re:Very wide impact. by 110010001000 · · Score: 4, Informative

      Any video file that you torrent could now open you up for risk. That means about 99% of Kodi users.

    6. Re:Very wide impact. by squiggleslash · · Score: 2

      OTOH it's installed in far fewer places than people think. A hell of a lot of installations are of libav, where the CLI interface avconv has been softlinked with ffmpeg as an alias.

      Given the shared heritage between the two, I'd be curious to know whether the vulnerabilities are in both avconv and "original" ffmpeg.

      --
      You are not alone. This is not normal. None of this is normal.
    7. Re:Very wide impact. by adamantine.me · · Score: 1

      Yup, and I have multiple machines that use these services... Uh oh.

    8. Re:Very wide impact. by dryeo · · Score: 1

      https://lists.libav.org/piperm... points to some worries.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
  3. Does libav have it too? by Anonymous Coward · · Score: 1

    Does ffmpegs fork have the bug as well?

  4. Sounds Harmless, But You're Wrong by Anonymous Coward · · Score: 0

    The attack does not even require the user to open that file - for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected

    If you have ffmpeg installed, you are likely vulnerable to having any files that you are privileged for transferred across the wore by this bug.

    1. Re:Sounds Harmless, But You're Wrong by Anonymous Coward · · Score: 1

      I have ffmpeg installed on Windows. I don't believe Windows uses it in any way, except when I launch it manually to convert a file. Am I still at risk (even when I don't choose to open a malicious file)?

    2. Re:Sounds Harmless, But You're Wrong by sims+2 · · Score: 1

      Media player classic on windows uses ffdshow which makes use of ffmpeg. Iirc mplayer also uses ffmpeg. But they are not the only ones a lot of video players rely on ffmpeg on the back end.

      --
      Minimum threshold fixed. Thanks!
  5. That's the sound by the_skywise · · Score: 1

    of millions of devleopers and users screaming in terror all at once...

    I feel something terrible has happened...

    1. Re:That's the sound by invictusvoyd · · Score: 1

      How does the attacker gain access to the compromised machine .

  6. FFmpegd by Anonymous Coward · · Score: 2, Funny

    Don't worry, Lennart is busy trying to absorb FFmpeg into systemd. Once there's some Poettering shitcode in FFmpeg, it'll cease to work at all and the vulnerability will have been neutralized.

    1. Re:FFmpegd by rubycodez · · Score: 1

      no, upon fault the Poettering systemd FFmpeg code will go backwards, playing the movie to the start, reset all audio settings to default, and then double-clicking the movie file in your gui to replay it again

    2. Re:FFmpegd by vel-ex-tech · · Score: 1

      Note to self: prepare to add media-video/ffmpeg to the Anti-Lennartware section of /etc/paludis/package_mask.conf!

      (Disclaimer: I haven't used systemd yet, kind of been meaning to so I can also play around with KVM at the same time, but I completely believe the horror stories based on my experience with pulseaudio.)

    3. Re:FFmpegd by vel-ex-tech · · Score: 1

      Heh.

      That gives me an idea, though. What about a setting that plays back movies in Momento style? Maybe some kind of heuristic to determine where scenes start and end?

    4. Re:FFmpegd by sims+2 · · Score: 1

      I think you meant http://www.imdb.com/title/tt02...

      That imdb link is to a 5 minute short.

      --
      Minimum threshold fixed. Thanks!
    5. Re:FFmpegd by Anonymous Coward · · Score: 0

      ciaran mccreesh and his exherbo/paludis bullshit is just as cancerous as lennart and systemd. even though he's not a gentoo developer anymore, his legacy lives on in the form of EAPI.

    6. Re:FFmpegd by caseih · · Score: 1

      I've had systemd running on my linux machines for years now. Just seems to work and I am much happier to create a simple ini file to start a custom daemon than to mess with horrid, buggy, complex, and fragile init scripts.

    7. Re:FFmpegd by vel-ex-tech · · Score: 2

      It works pretty well for me at least. I don't use Exherbo's repos, but I've found paludis' correctness, while aggravating at time, to at least be correct in that it doesn't break my system in the weird ways Gentoo portage does.

      If you have a Gentoo box for 3 or 4 years, eventually it'll get weirdly broken with emerge. That's why I even sought out paludis.

    8. Re: FFmpegd by Anonymous Coward · · Score: 0

      "Create a simple ini file..."
      Welcome to Windows bitch.

    9. Re: FFmpegd by Anonymous Coward · · Score: 0

      Absolutely, we can't have something implemented correctly if it has some tenuous connection with Windows, such as ".ini" files. No, half arsed, unreliable, and kludge ridden - case in point: sysvinit - is the way to go, that's the Unix way!

    10. Re:FFmpegd by Bert64 · · Score: 1

      I have gentoo boxes which are more than 10 years old, so long as you regularly update emerge you don't have any major problems... If you leave it for a long time, then do an emerge sync things do get broken because the installed version of portage won't support the newly synced ebuilds.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  7. Now this. This is news! by sims+2 · · Score: 1

    This is news! A new critical zero-day vulnerability affecting millions of computers.

    And here we thought drm free video files were safe.

    Whelp another good reason to have a decent firewall.

    --
    Minimum threshold fixed. Thanks!
    1. Re:Now this. This is news! by Anonymous+Psychopath · · Score: 3, Informative

      Whelp another good reason to have a decent firewall.

      Once you put a malformed video file on a system with a vulnerable ffmpeg, and ffmpeg is used to access the file, it makes an outbound connection. Most firewalls are configured to happily pass along anything originated from the inside network.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    2. Re:Now this. This is news! by suutar · · Score: 1

      a well-and-paranoidly-configured firewall, then :)

    3. Re:Now this. This is news! by Anonymous Coward · · Score: 0

      It still takes time for rules to be added to your snort ruleset subscriptions, for example. Of course adding your own rule straightaway is possible.

    4. Re:Now this. This is news! by sims+2 · · Score: 1

      Personally I don't like tinywall because it doesn't ask me about everything like zonealarm did but its a fraction of the size. I have vlc installed but I have never used it for streaming as such its has never been given permission through the local firewall. But yes if you use it to stream video you would most likely have it set to always allow. I don't know widely used it is for streaming but I personally haven't used it to stream video in the last what 5 years or so.

      And yes this requires the user to at minimum be able to recognize that vlc.exe does not require internet access to play a local file.

      Its like UAC Its completely useless if you click allow to everything. But UAC is so naggy on the default setting that everyone always clicks yes Every time you turn a computer on that's been off for about a week BING do you want to allow jucheck.exe to make changes to your computer? (hell no! but thanks for reminding me to disable java's auto updater) damn adware installing auto updater.

      I always click no if a uac prompt takes over my screen if its that friggin important ill run the program again with admin rights. Mostly its just auto updaters that think they ought to be able to do anything they like. *I am looking at you Google newer is always better chrome.*

      --
      Minimum threshold fixed. Thanks!
    5. Re:Now this. This is news! by Anonymous Coward · · Score: 0

      do you want to allow jucheck.exe to make changes to your computer? (hell no! but thanks for reminding me to disable java's auto updater) damn adware installing auto updater.

      Uh, maybe you should be updating Java. Its bad enough to have it on your system, but to not update it? Just don't click through the adware installs it does.

    6. Re:Now this. This is news! by drooling-dog · · Score: 1

      Yet another reason to block this crap at the hosts file. And to update it frequently.

    7. Re:Now this. This is news! by Anonymous Coward · · Score: 0

      Doesn't work if your attacker isn't listed already. What is this obsession with hosts files anyway?

    8. Re:Now this. This is news! by Bert64 · · Score: 1

      Works fine if you also disable DNS and then only add hosts you actually want to access to the hosts file.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    9. Re:Now this. This is news! by Anonymous+Psychopath · · Score: 1

      There are just some small scalability issues involved in that process.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    10. Re:Now this. This is news! by Anonymous Coward · · Score: 0

      None at all using what does the job for you http://it.slashdot.org/comment...

    11. Re:Now this. This is news! by Anonymous+Psychopath · · Score: 1

      None at all using what does the job for you http://it.slashdot.org/comment...

      I couldn't see where the app you referenced sources its block list, but I believe what I use (pfBlockerNG) is probably better.

      I maintain that scalability is a big issue you aren't addressing. It's probably fine and certainly better than nothing for one or two Windows desktops, but what about even a small SOHO network that could contain any combination of desktop, mobile, and server operating systems, not to mention embedded devices that may include ffmpeg, like smart TVs and NAS boxes?

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

  8. WTF by edittard · · Score: 4, Funny

    Submitted by prisoninmate. Presumably he's in for crimes against the English language.

    He's certainly familiar with really long sentences.

    --
    At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
  9. Thank you by AHuxley · · Score: 1

    To the people who found this wide and deep issue.
    Any news to who could be using the ability to create and track media files in the wild?
    Time to alter the out going software firewall :)

    --
    Domestic spying is now "Benign Information Gathering"
  10. Since I'm still paranoid... by Anonymous Coward · · Score: 0

    Since I was considerarted a few paranoid when I told You guys that's possible, I prefer keeping my eye on the screen thinking "hmm... there's still something there that I must protect".

  11. Poison Apple? by Anonymous Coward · · Score: 0

    AppleHTTP

    Didn't we just read about another vulnerability from Apple? What's all this about?

  12. Hosting conversion software by mcrbids · · Score: 2

    We use ffmpeg to process video files uploaded by customers. We'll be patching our app first thing in the morning. This is a big deal for us.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re: Hosting conversion software by Anonymous Coward · · Score: 1

      Why are you building with network support for that use-case?

  13. TAILS Linux Distro by Anonymous Coward · · Score: 0

    Isn't this package still available in current versions of TAILS?

    They have so much shit (even Java!) packed into their ISOs it's retarded.

    If only someone from TAILS would "re-master" their distro to provide slimmer downloads/desktops like Lubuntu or build up from Debian minimal or Tiny Core Linux.

    I don't enjoy downloading 1+GB every month nor do I want 1+GB on LiveDVD/USB filled with tons of audio/video editors/players, an office suite, java, and more.

  14. does it depend on something else? by Anonymous Coward · · Score: 0

    It appears to let anyone with the necessary skills hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.

    That almost sounds witchcraft level powerful. I'm guessing it depends on more critical factors that weren't mentioned there. Like getting someone to download a copy of that file and play it with some applications that involve ffmpeg. Which sounds a lot less scary than the way the summary phrased it.

  15. Why does a multimedia library do networking? by Anonymous Coward · · Score: 0

    The recommended workaround is to disable networking in ffmpeg, but this raises a pretty obvious question. Why would a multimedia library contain any networking code in the first place?

    This sounds like a case of faulty functional decomposition in ffmpeg, ie. incorrect program factoring. Even if it performs functions related to handling streamed media, no actual networking should be performed in this library. It shouldn't even be calling upon the services of external networking libraries to perform networking, and it's way out of line that it be establishing any networking connections of its own accord.

  16. Nobody builds hosts better than Apk by Anonymous Coward · · Score: 0

    Apk builds hosts using 10 reputable security community sources consolidating them all for adblocking and more speed from hardcoded favorites speed with your favorite sites where you spend most of your time online hardcoded at the top of hosts for fastest possible local resolution cached in memory speed up boosts and protection against malware of all kinds with his APK Hosts File Engine 9.0++ SR-4 32/64-bit program http://www.start64.com/index.p...

    1. Re: Nobody builds hosts better than Apk by Anonymous Coward · · Score: 0

      9.0++ SR-4? What kind of fucked up versioning system is that?

    2. Re: Nobody builds hosts better than Apk by Anonymous Coward · · Score: 0

      Answer is it's better than your non-existent one for your non-existent program. Take a read, learn something about yourself here http://it.slashdot.org/comment... that the rest of us already know about "your kind", lol! Know thyself first. Then perhaps you can comprehend the opponent the trolling likes of you could never get the better of in apk.

  17. They work better than addons and local dns by Anonymous Coward · · Score: 0

    For less resource consumption and do more than addons. No one builds a better one than apk in his APK Hosts File Engine 9.0++ SR-4 32/64-bit gets known threats from 10 reputable security community sites http://www.start64.com/index.p... and blocks them in the hosts file and speeds you up 2 ways in blocking ads better for way less resources in cpu and ram used in a faster mode of operation in kernelmode than addons do in usermode and stops tracking from sites and dns resolving ip addresses faster than remote dns with hostnames cached in local system memory with your favorite sites where you spend most of your time online at the top of hosts for the fastest possible hostname resolves to ip address and they're reversed dns verified using OpenDNS which is patched against the kaminsky redirect poisoning flaw, and it stops other issues dns has in redirect poisoning by avoiding dns for where you spend most of your time online in your favorite sites hardcoded into hosts at the top of it cached in memory.

    1. Re: They work better than addons and local dns by Anonymous Coward · · Score: 0

      Piss off, APK, and take your spam with you.

    2. Re: They work better than addons and local dns by Anonymous Coward · · Score: 0

      It's funny seeing trolls who had their asses handed to them by apk here constantly react the way you do. Especially MyAlternateID most of all the wannabe sidewalk shrink of slashdot. You can't take him on straight up technically so you have to resort to your name calling and off topic bullshit and you don't even realize how stupid you all look against him. Now, you do.

  18. Is ffmpeg -f another workaround? by Anonymous Coward · · Score: 0

    The -f option in ffmpeg explicitly chooses the input format, so I would think it would blow up with 'invalid data' if the -f is specified for a video file but there is an HLS header.

    -f fmt (input/output)
                    Force input or output file format. The format is normally auto detected for input files and guessed from the file extension for output files, so this option is not needed in most cases.

    For example, if you rename a webm file to an mp4 (reallywebm.mp4), just using ffprobe -i reallywebm.mp4 it returns the input what it really is (Input #0, matroska,webm, from 'reallywebm.mp4'). However, if you add the -f option: ffprobe -f -i reallywebm.mp4 it fails with "reallywebm.mp4: Invalid data found when processing input". So the input file wouldn't be accepted.

    Is this another workaround (that doesn't requiring rebuilding without HLS) or am I missing something?

  19. Christ by Anonymous Coward · · Score: 0

    Not again!

    1. Re:Christ by Anonymous Coward · · Score: 0

      Truth too much for you troll?

  20. -83 day !!! by Anonymous Coward · · Score: 1

    instead of contacting developers he:

    • 2015-10-22 talked about this on mail.ru security meetup
    • 2015-11-03 posted slides from meetup
    • 2016-01-12 posted detailed exploit instructions

    only then he contacted developers on 2016-01-13...

  21. What is the easiest way to detect malicious files? by Anonymous Coward · · Score: 0

    Lets assume your system is not affected by this. What's the easiest way to detect malicious files and be sure others won't be affected by it?

  22. But I thought open source software was perfect! by DutchUncle · · Score: 0

    And safe! And bugless! and . . . . .