Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely

prisoninmate writes: A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently by Russian programmer Maxim Andreev in the current stable builds of the software. It appears to let anyone with the necessary skills hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. Arch Linux devs already rebuilt their FFmpeg packages without the AppleHTTP and HLS demuxers.

Very wide impact.

[Anonymous+Psychopath]

Ffmpeg is used in some capacity in just about every video application I can think of. VLC, Kodi/XBMC, MythTV, Handbrake, Plex...

Re:Very wide impact.

[QuantumReality]

And in Google Chrome, because i compiled it myself for Chromium

Re:Very wide impact.

Even worse, Firefox can use FFMPEG for playing HTML5 Video.

I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

Re:Very wide impact.

[dissy]

I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

The article suggests a mitigation, however it sounds like it may just be easier to remove the package until your upstream provides updates...

James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.
It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.

A commenter in the arch bug report listing also says:

Btw, one could also do --disable-demuxer='hls,applehttp', but rebuilding without network support looks like a more robust solution for now (until the issue is inspected and fixed upstream).

https://bugs.archlinux.org/tas...

My understanding is the specific bug reported in russian is exploited via HLS, however it is unconfirmed if the same method could be used and exploited in other network stream demuxers yet.

Re:Very wide impact.

[fluffernutter]

But the question is, how easy is it to end up playing a 'specially crafted file' if you're playing video in VLC or Kodi? I mean, understood that any website could have an ad video that plays and opens up this connection but what is the reality of the risk for standalone players?

Re:Very wide impact.

[110010001000]

Any video file that you torrent could now open you up for risk. That means about 99% of Kodi users.

Re:Very wide impact.

[squiggleslash]

OTOH it's installed in far fewer places than people think. A hell of a lot of installations are of libav, where the CLI interface avconv has been softlinked with ffmpeg as an alias.

Given the shared heritage between the two, I'd be curious to know whether the vulnerabilities are in both avconv and "original" ffmpeg.

Re:Very wide impact.

[adamantine.me]

Yup, and I have multiple machines that use these services... Uh oh.

Re:Very wide impact.

[dryeo]

https://lists.libav.org/piperm... points to some worries.

Does libav have it too?

Does ffmpegs fork have the bug as well?

Re: why so hung up about arch?

Don't gentoo users choose their own build settings / features by default? What do you want the article to say? "Most gentoo users probably have the problem fixed by themselves already too but we don't really know?"

That's the sound

[the_skywise]

of millions of devleopers and users screaming in terror all at once...

I feel something terrible has happened...

Re:That's the sound

[invictusvoyd]

How does the attacker gain access to the compromised machine .

FFmpegd

Don't worry, Lennart is busy trying to absorb FFmpeg into systemd. Once there's some Poettering shitcode in FFmpeg, it'll cease to work at all and the vulnerability will have been neutralized.

Re:FFmpegd

[rubycodez]

no, upon fault the Poettering systemd FFmpeg code will go backwards, playing the movie to the start, reset all audio settings to default, and then double-clicking the movie file in your gui to replay it again

Re:FFmpegd

[vel-ex-tech]

Note to self: prepare to add media-video/ffmpeg to the Anti-Lennartware section of /etc/paludis/package_mask.conf!

(Disclaimer: I haven't used systemd yet, kind of been meaning to so I can also play around with KVM at the same time, but I completely believe the horror stories based on my experience with pulseaudio.)

Re:FFmpegd

[vel-ex-tech]

Heh.

That gives me an idea, though. What about a setting that plays back movies in Momento style? Maybe some kind of heuristic to determine where scenes start and end?

Re:FFmpegd

[sims+2]

I think you meant http://www.imdb.com/title/tt02...

That imdb link is to a 5 minute short.

Re:FFmpegd

[caseih]

I've had systemd running on my linux machines for years now. Just seems to work and I am much happier to create a simple ini file to start a custom daemon than to mess with horrid, buggy, complex, and fragile init scripts.

Re:FFmpegd

[vel-ex-tech]

It works pretty well for me at least. I don't use Exherbo's repos, but I've found paludis' correctness, while aggravating at time, to at least be correct in that it doesn't break my system in the weird ways Gentoo portage does.

If you have a Gentoo box for 3 or 4 years, eventually it'll get weirdly broken with emerge. That's why I even sought out paludis.

Re:FFmpegd

[Bert64]

I have gentoo boxes which are more than 10 years old, so long as you regularly update emerge you don't have any major problems... If you leave it for a long time, then do an emerge sync things do get broken because the installed version of portage won't support the newly synced ebuilds.

Now this. This is news!

[sims+2]

This is news! A new critical zero-day vulnerability affecting millions of computers.

And here we thought drm free video files were safe.

Whelp another good reason to have a decent firewall.

Re:Now this. This is news!

[Anonymous+Psychopath]

Whelp another good reason to have a decent firewall.

Once you put a malformed video file on a system with a vulnerable ffmpeg, and ffmpeg is used to access the file, it makes an outbound connection. Most firewalls are configured to happily pass along anything originated from the inside network.

Re:Now this. This is news!

[suutar]

a well-and-paranoidly-configured firewall, then :)

Re:Now this. This is news!

[sims+2]

Personally I don't like tinywall because it doesn't ask me about everything like zonealarm did but its a fraction of the size. I have vlc installed but I have never used it for streaming as such its has never been given permission through the local firewall. But yes if you use it to stream video you would most likely have it set to always allow. I don't know widely used it is for streaming but I personally haven't used it to stream video in the last what 5 years or so.

And yes this requires the user to at minimum be able to recognize that vlc.exe does not require internet access to play a local file.

Its like UAC Its completely useless if you click allow to everything. But UAC is so naggy on the default setting that everyone always clicks yes Every time you turn a computer on that's been off for about a week BING do you want to allow jucheck.exe to make changes to your computer? (hell no! but thanks for reminding me to disable java's auto updater) damn adware installing auto updater.

I always click no if a uac prompt takes over my screen if its that friggin important ill run the program again with admin rights. Mostly its just auto updaters that think they ought to be able to do anything they like. *I am looking at you Google newer is always better chrome.*

Re:Now this. This is news!

[drooling-dog]

Yet another reason to block this crap at the hosts file. And to update it frequently.

Re:Now this. This is news!

[Bert64]

Works fine if you also disable DNS and then only add hosts you actually want to access to the hosts file.

Re:Now this. This is news!

[Anonymous+Psychopath]

There are just some small scalability issues involved in that process.

Re:Now this. This is news!

[Anonymous+Psychopath]

None at all using what does the job for you http://it.slashdot.org/comment...

I couldn't see where the app you referenced sources its block list, but I believe what I use (pfBlockerNG) is probably better.

I maintain that scalability is a big issue you aren't addressing. It's probably fine and certainly better than nothing for one or two Windows desktops, but what about even a small SOHO network that could contain any combination of desktop, mobile, and server operating systems, not to mention embedded devices that may include ffmpeg, like smart TVs and NAS boxes?

Re:Sounds Harmless, But You're Wrong

I have ffmpeg installed on Windows. I don't believe Windows uses it in any way, except when I launch it manually to convert a file. Am I still at risk (even when I don't choose to open a malicious file)?

WTF

[edittard]

Submitted by prisoninmate. Presumably he's in for crimes against the English language.

He's certainly familiar with really long sentences.

Thank you

[AHuxley]

To the people who found this wide and deep issue.
Any news to who could be using the ability to create and track media files in the wild?
Time to alter the out going software firewall :)

Re:why so hung up about arch?

[WarJolt]

Neither does Ubuntu, since everyone uses libav instead.

Re:Sounds Harmless, But You're Wrong

[sims+2]

Media player classic on windows uses ffdshow which makes use of ffmpeg. Iirc mplayer also uses ffmpeg. But they are not the only ones a lot of video players rely on ffmpeg on the back end.

Re: why so hung up about arch?

[behrooz0az]

You thought correctly.
Arch users can choose to build packages themselves using AUR that has multiple GUI/CLI frontends like yaourt or pacmanxg. but it's not a mess like debain apt-build and actually integrates well with the standard pacman system.

Hosting conversion software

[mcrbids]

We use ffmpeg to process video files uploaded by customers. We'll be patching our app first thing in the morning. This is a big deal for us.

Re: Hosting conversion software

Why are you building with network support for that use-case?

Re:why so hung up about arch?

[dryeo]

Libav seems to be reacting to this as well with a quick fix to blacklist HTTP in HLS. Whether the same vulnerability or a different one I don't know.
https://lists.libav.org/piperm...

Re:why so hung up about arch?

[Tighe_L]

By default Gentoo doesn't use FFMPEG, but the craptastic fork avlib. I wish that the developers of avlib many ills for ruining everything with their dman fork.

Re: why so hung up about arch?

[DanZ23]

Right? With all these cores, world compiles quickly.

Re:why so hung up about arch?

[dryeo]

While Michael did resign as official leader, he is still very involved and seems to be defacto leader.
Watching the split was like watching a couple where you're friends with both going through a messy breakup. You can see both sides but don't want to take sides as they both have a point. In FFmpeg vs libav, it was mostly a conflict about the workflow. It was kind of disgusting how the (future) libav developers handled things, namely trying to hijack FFmpeg during the move to git.

-83 day !!!

instead of contacting developers he:

• 2015-10-22 talked about this on mail.ru security meetup
• 2015-11-03 posted slides from meetup
• 2016-01-12 posted detailed exploit instructions

only then he contacted developers on 2016-01-13...