#5992(avformat:new): Heap-overflow results Remote Code Execution
#5992: Heap-overflow results Remote Code Execution ----------------------------------+-------------------------------------- Reporter: paulch | Type: defect Status: new | Priority: critical Component: avformat | Version: git-master Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ----------------------------------+-------------------------------------- '''Summary of the bug:''' We managed to find and successfully exploit critical security bug in libavformat/http.c that results Remote Code Execution in latest version of FFmpeg. '''Prerequisites:''' Attacker has to reproduce SSRF bug and send HTTP request to his remote host. There are multiple ways of doing this already described all over the Internet. (For ex. you can trigger SSRF using HLS playlists or the way I described earlier in this [https://trac.ffmpeg.org/ticket/5991#ticket ticket] ). '''Overview:''' libavformat/http.c supports different types of HTTP responses, one of them is "Transfer-Encoding: chunked". Because [https://github.com/FFmpeg/FFmpeg/blob/1f5630af51f24d79053b6bef5b8b3ba93d6373... "int64_t"] type is used to store size of the chunk and [https://github.com/FFmpeg/FFmpeg/blob/1f5630af51f24d79053b6bef5b8b3ba93d6373... strtoll] function to parse the value of next chunk size it is possible to pass negative value and it will be successfully stored in chunksize variable. Later FFMIN [https://github.com/FFmpeg/FFmpeg/blob/1f5630af51f24d79053b6bef5b8b3ba93d6373... function] is used to determine final size of chunk and now it turns negative and it is passed to [https://github.com/FFmpeg/FFmpeg/blob/1f5630af51f24d79053b6bef5b8b3ba93d6373... http_buf_read] function. Inside http_buf_read function our negative value is [https://github.com/FFmpeg/FFmpeg/blob/1f5630af51f24d79053b6bef5b8b3ba93d6373... assigned] to len variable and passed as argument to [https://github.com/FFmpeg/FFmpeg/blob/1f5630af51f24d79053b6bef5b8b3ba93d6373... memcpy] which results a crash. '''Steps to reproduce:''' I am attaching PoC file that reproduces the simple crash. Steps to reproduce bug: {{{ $ python http_poc.py & $ ffmpeg -v trace -i "http://localhost:12345/1.avi" 1.avi $ gdb -q ffmpeg_g (gdb) r -v trace -i "http://localhost:12345/1.avi" 1.avi }}} I am also attaching gdb stack-trace. '''Recommended fix:''' The best fix for that should be completely rewrite http parser, because some sneaky bugs still can be found there. Good example of http parser can be found [https://github.com/nodejs/http-parser/blob/master/http_parser.c here], it is implemented with finite-state machine. But for now simple quick fix could be making chunksize unsigned long long. '''Final words:''' Our team is planning to release full exploit and blogpost with full details on exploitation in 30 days or as soon as you patch vulnerability. Contact me if you need more details on vulnerability. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#5992: Heap-overflow in http.c results Remote Code Execution ------------------------------------+------------------------------------ Reporter: paulch | Owner: Type: defect | Status: new Priority: critical | Component: avformat Version: git-master | Resolution: Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ------------------------------------+------------------------------------ -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992#comment:1> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#5992: Heap-overflow in http.c results Remote Code Execution ------------------------------------+------------------------------------ Reporter: paulch | Owner: Type: defect | Status: new Priority: critical | Component: avformat Version: git-master | Resolution: Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ------------------------------------+------------------------------------ Comment (by jamrial): For future reference, please report vulnerabilities you find to ffmpeg- security@ffmpeg.org as mentioned in https://ffmpeg.org/security.html instead of posting them on this bug tracker. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992#comment:2> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#5992: Heap-overflow in http.c results Remote Code Execution ------------------------------------+------------------------------------ Reporter: paulch | Owner: Type: defect | Status: new Priority: critical | Component: avformat Version: git-master | Resolution: Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ------------------------------------+------------------------------------ Comment (by jamrial): Replying to [ticket:5992 paulch]:
Contact me if you need more details on vulnerability.
Sending this information to the above email address nonetheless would also be appreciated. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992#comment:3> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#5992: Heap-overflow in http.c results Remote Code Execution -------------------------------------+------------------------------------- Reporter: paulch | Owner: Type: defect | Status: open Priority: critical | Component: avformat Version: git-master | Resolution: Keywords: http crash | Blocked By: SIGSEGV | Reproduced by developer: 1 Blocking: | Analyzed by developer: 0 | -------------------------------------+------------------------------------- Changes (by cehoyos): * keywords: => http crash SIGSEGV * status: new => open * reproduced: 0 => 1 Comment: Replying to [ticket:5992 paulch]:
But for now simple quick fix could be making chunksize unsigned long long.
I believe all valid bug reports on this bug tracker are very much appreciated, no matter if security relevant or not but I don't understand why you didn't send a patch with this change to the development mailing list. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992#comment:4> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#5992: Heap-overflow in http.c results Remote Code Execution -------------------------------------+------------------------------------- Reporter: paulch | Owner: Type: defect | Status: open Priority: critical | Component: avformat Version: git-master | Resolution: Keywords: http crash | Blocked By: SIGSEGV | Reproduced by developer: 1 Blocking: | Analyzed by developer: 0 | -------------------------------------+------------------------------------- Comment (by paulch): Thanks for your feedback. All future bug reports will be submitted to ffmpeg-security@ffmpeg.org . Patches have been already proposed by FFmpeg developers and reviewed by our team. Thank you. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992#comment:5> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#5992: Heap-overflow in http.c results Remote Code Execution -------------------------------------+------------------------------------- Reporter: paulch | Owner: Type: defect | Status: closed Priority: critical | Component: avformat Version: git-master | Resolution: fixed Keywords: http crash | Blocked By: SIGSEGV | Reproduced by developer: 1 Blocking: | Analyzed by developer: 0 | -------------------------------------+------------------------------------- Changes (by cehoyos): * status: open => closed * resolution: => fixed Comment: Fixed by Ronald in 2a05c8f813de6f2278827734bf8102291e7484aa. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5992#comment:6> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
participants (1)
-
FFmpeg