Hi On Wed, Feb 05, 2025 at 07:41:39PM +0100, Michael Niedermayer wrote: > Hi Kacper > > On Tue, Feb 04, 2025 at 12:45:14PM +0100, Kacper Michajlow wrote: > [...] > > security benefits. I get it. Someone needed to hit their KPI by > > submitting CVEs, and they found a marginally applicable case of a > > highly unrealistic attack scenario. > > I think you mis judge the (un)realism of this attack > > prior to the patches, i can give you a m3u8 file and it will store > any local file in the output video > > This is not even just a matter of video streaming services, > With a bit of social engeneering you can likely get people to > do that. > "Hey i found this odd file that encodes to different gibberish > on each machien, iam an artist, doing an art project, can you > just quickly reencode this and send me the mkv it generates ?" > > Who would think that above will effectively give the attacker full > access to your machiene. unless you run this in a sandbox that has > no access to sensitve files Ive tried to write an exploit for this and luckily it is not that simple. We can use data:// to feed both data and extension to force a demuxer of our choice to be used We can use crypto: to encrypt the extracted data so the user has no clue what is extracted And we dont need to have any probe succeed on the file we read. The tty_extensions check also is not helping as it is not run on the target I can read any file but only if it has a extension on the allowed_extensions list or allowed_extensions is set to ALL. This makes this luckily indeed difficult to exploit, i failed to find a way to bypass this. But there are several close ones concatdec uses data:// if we open it that way file:// is subject to teh allowed_extensions check other things like references in other demuxers i have not tried thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Complexity theory is the science of finding the exact solution to an approximation. Benchmarking OTOH is finding an approximation of the exact