Re: [FFmpeg-devel] [PATCH 2/2] avformat/hls: .ts is always ok even if its a mov/mp4

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 2/2] avformat/hls: .ts is always ok even if its a mov/mp4
Date: Thu, 6 Feb 2025 00:51:55 +0100
Message-ID: <20250205235155.GH4991@pb2> (raw)
In-Reply-To: <20250205184139.GD4991@pb2>

[-- Attachment #1.1: Type: text/plain, Size: 2115 bytes --]

Hi

On Wed, Feb 05, 2025 at 07:41:39PM +0100, Michael Niedermayer wrote:
> Hi Kacper
> 
> On Tue, Feb 04, 2025 at 12:45:14PM +0100, Kacper Michajlow wrote:
> [...]
> > security benefits. I get it. Someone needed to hit their KPI by
> > submitting CVEs, and they found a marginally applicable case of a
> > highly unrealistic attack scenario.
> 
> I think you mis judge the (un)realism of this attack
> 
> prior to the patches, i can give you a m3u8 file and it will store
> any local file in the output video
> 
> This is not even just a matter of video streaming services,
> With a bit of social engeneering you can likely get people to
> do that.
> "Hey i found this odd file that encodes to different gibberish
>  on each machien, iam an artist, doing an art project, can you
>  just quickly reencode this and send me the mkv it generates ?"
> 
> Who would think that above will effectively give the attacker full
> access to your machiene. unless you run this in a sandbox that has
> no access to sensitve files

Ive tried to write an exploit for this and luckily it is not
that simple.

We can use data:// to feed both data and extension to force a demuxer
of our choice to be used

We can use crypto: to encrypt the extracted data so the user has no clue
what is extracted

And we dont need to have any probe succeed on the file we read.
The tty_extensions check also is not helping as it is not run on the target

I can read any file but only if it has a extension on the allowed_extensions
list or allowed_extensions is set to ALL.
This makes this luckily indeed difficult to exploit, i failed to find a
way to bypass this. But there are several close ones
concatdec uses data:// if we open it that way
file:// is subject to teh allowed_extensions check
other things like references in other demuxers i have not tried

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".