Most active commenters
  • brigade(5)
  • dpe82(4)
  • IshKebab(3)
  • ls612(3)

←back to thread

FFmpeg dealing with a security researcher

(twitter.com)
104 points trollied | 28 comments | 01 Nov 25 20:59 UTC | HN request time: 0.437s | source | bottom
Show context
vqtska ◴[01 Nov 25 21:48 UTC] No.45785720[source]
I wonder if this vulnerable codec is enabled by default when building FFmpeg? Because if so, then it doesn't matter that it's a "1990s game codec" because any application using FFmpeg to accept arbitrary video files is vulnerable to memory corruption, which should probably be taken more seriously.
replies(4): >>45785760 #>>45785825 #>>45786027 #>>45786093 #
1. IshKebab ◴[01 Nov 25 22:40 UTC] No.45786093[source]
I checked with Ubuntu's ffmpeg and it is enabled by default. There are a huge list of codecs enabled by default (maybe all of them?). Given the security track record of codecs implemented in C, this means it's basically guaranteed that there are dozens of security vulnerabilities in ffmpeg.

I think the same is probably true for VLC to a lesser extent, which is pretty wild considering I've never heard of it being used as an attack vector, e.g. via torrents.

replies(3): >>45786299 #>>45787464 #>>45791239 #
2. haskellshill ◴[01 Nov 25 23:04 UTC] No.45786299[source]
VLC is pretty popular on windows, but ffmpeg? Is there any commonly used windows app that relies on it? I doubt it'd be worth one's time to write exploits for desktop linux
replies(5): >>45786332 #>>45788108 #>>45788182 #>>45788671 #>>45790151 #
3. michaelt ◴[01 Nov 25 23:09 UTC] No.45786332[source]
Depends if any important websites are re-compressing user-uploaded videos. If there's a website converting user-uploaded gifs to mp4 to save on bandwidth or something, I wouldn't be surprised if they used ffmpeg to do it.
4. ls612 ◴[02 Nov 25 02:41 UTC] No.45787464[source]
I think that the x264 and hevc codecs are much more battle tested and a 0day for them would be worth enough that nobody would bother using it on random torrenters.
replies(1): >>45788786 #
5. dpe82 ◴[02 Nov 25 05:55 UTC] No.45788108[source]
VLC and ffmpeg share the same underlying library family (libav*) where this vulnerability lives.

> I doubt it'd be worth one's time to write exploits for desktop Linux

How many developers, network administrators, etc. run desktop Linux? Gaining access to those can be very, very valuable.

replies(1): >>45788198 #
6. godelski ◴[02 Nov 25 06:17 UTC] No.45788182[source]

  > VLC is pretty popular on windows, but ffmpeg?
I'm pretty confident VLC uses libavcodec

  > Is there any commonly used windows app that relies on it?
A lot of stuff uses libavcodec
replies(1): >>45790136 #
7. brigade ◴[02 Nov 25 06:22 UTC] No.45788198{3}[source]
FFmpeg based players have been popular for 20 years now. Has there been a single documented actual use of their libraries as the exploitation vector anytime in the last two decades?
replies(2): >>45788461 #>>45788771 #
8. dpe82 ◴[02 Nov 25 07:19 UTC] No.45788461{4}[source]
I'm certain it's happened but since I don't have one off the top of my head I'll instead point out a related issue: https://en.wikipedia.org/wiki/Stagefright_(bug)

It's worth pointing out that many, many, many things use the libav* library family.

replies(1): >>45791047 #
9. heavyset_go ◴[02 Nov 25 08:12 UTC] No.45788671[source]
ffmpeg is deployed everywhere, and old versions of ffmpeg are baked into a lot of devices.

If you have a device that does image, audio or video, libav and/or ffmpeg is likely somewhere in the stack. Your TV, camera, console or streaming device might use the software.

If you're using SaaS that does image, audio or video, they are likely using ffmpeg related software somewhere in their stack.

Same thing with apps, Android and iOS apps might use the libraries, as well as desktop apps.

10. dns_snek ◴[02 Nov 25 08:36 UTC] No.45788771{4}[source]
Does this count?

https://signal.org/blog/cellebrite-vulnerabilities/

> Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

But it was a product using a 9 year old ffmpeg build (at the time).

replies(2): >>45791209 #>>45791264 #
11. IshKebab ◴[02 Nov 25 08:39 UTC] No.45788786[source]
But you don't need to use a popular codec, because all codecs are enabled by default.
replies(1): >>45791078 #
12. ◴[02 Nov 25 13:23 UTC] No.45790136{3}[source]
13. Sophira ◴[02 Nov 25 13:24 UTC] No.45790151[source]
Yes, lots. To name an example, yt-dip uses it on all platforms, including Windows, which means that any video downloader front-end that uses it also uses FFmpeg.
replies(1): >>45802576 #
14. brigade ◴[02 Nov 25 15:34 UTC] No.45791047{5}[source]
Yes, I know that multimedia/image vulnerabilities are popular vectors for zero-click attacks. My point is that desktop players are not a vector for zero-click attacks, and ffmpeg has not generally been used in end-user situations that are targets of zero-click or drive-by attacks. Mostly because of the license, but still.

If the exploit chain involves the user downloading and opening a file, something like >99% of the time the next step already involves executable code (or Office macros), which makes any ffmpeg vuln completely useless.

replies(2): >>45792508 #>>45792826 #
15. ls612 ◴[02 Nov 25 15:38 UTC] No.45791078{3}[source]
Yeah but most public trackers will give lots of side eye to torrents that contain an mkv that isn’t in one of those two formats.
replies(1): >>45793595 #
16. brigade ◴[02 Nov 25 15:53 UTC] No.45791209{5}[source]
I'd still consider that an academic exercise rather than an exploit that was deployed in the real world (aka against a machine the attacker did not control)
replies(1): >>45794162 #
17. hulitu ◴[02 Nov 25 15:59 UTC] No.45791239[source]
> Given the security track record of codecs implemented in C, this means it's basically guaranteed that there are dozens of security vulnerabilities in ffmpeg.

Or in, you know, external libraries. Maybe ffmeg shall be run with sanitized input (and not from a "web page" ) ? Just saying

18. hulitu ◴[02 Nov 25 16:03 UTC] No.45791264{5}[source]
> Does this count?

If Signal relies on ffmpeg to play videos instead of an externall app, i would say it is broken by design.

19. dpe82 ◴[02 Nov 25 18:55 UTC] No.45792508{6}[source]
Chrome uses ffmpeg's underlying libraries.

It's used way, way more than you think.

replies(1): >>45793149 #
20. phil21 ◴[02 Nov 25 19:43 UTC] No.45792826{6}[source]
In a past life as a managed hosting provider ffmpeg exploits were used to gain access to systems.

It’s used for pretty much any platform you can upload video to. Some places far more competently than others.

replies(1): >>45793164 #
21. brigade ◴[02 Nov 25 20:30 UTC] No.45793149{7}[source]
Yes, I’m quite familiar with that. Chrome is why I added the “generally” qualifier.

And to the best of my knowledge, there has not been any in-the-wild exploit against Chrome through the handful of ffmpeg codecs they enable. Not even pwn2own type competitions either, as I recall.

replies(1): >>45794298 #
22. brigade ◴[02 Nov 25 20:31 UTC] No.45793164{7}[source]
See, I’d be interested in any actual evidence/writeups of that in the wild.
replies(1): >>45795030 #
23. IshKebab ◴[02 Nov 25 21:27 UTC] No.45793595{4}[source]
Really? You think trackers download files and analyse their contents before listing them? I don't.
replies(1): >>45794519 #
24. renewiltord ◴[02 Nov 25 22:54 UTC] No.45794162{6}[source]
Yeah, that’s just how life is. We used to run with Heartbleed and Spectre turned off.
25. dpe82 ◴[02 Nov 25 23:20 UTC] No.45794298{8}[source]
I guess I'm confused - are you trying to imply the lack of a thorough, publicly reported successful exploit (or us just not casually giving you one that you care about) means that we're all released from the responsibility of taking potential exploits seriously?
26. ls612 ◴[02 Nov 25 23:58 UTC] No.45794519{5}[source]
TPB? No. But 1337 and rutracker definitely do basic quality control. Nothing like a private tracker but they take down things like .mkv.lnk and similar.
27. bawolff ◴[03 Nov 25 01:26 UTC] No.45795030{8}[source]
In fairness, i dont think the majority of actual exploits used in the wild get writeups.

Budget web host using outdated software getting hacked because they havent updated in 2 years isn't exactly all that interesting of a blog post even if the victim knows enough to figure out what happened.

28. Sophira ◴[03 Nov 25 18:36 UTC] No.45802576{3}[source]
...I mean "yt-dlp", of course. Phone autocorrected >_<