Recently, WhiteHat announced an FFmpeg vulnerability on HackerOne. This vulnerability uses the HLS playlist of FFmpeg to expose local files. The PoC has been published, and the security risk level is high. To ensure normal running of services and prevent data leak, check for the vulnerability and upgrade the software as soon as possible.
FFmpeg is a free multimedia framework that supports recording, conversion, and streaming for the audio and video in multiple formats. It allows users to access almost all formats of video, such as .mkv, .flv, and .mov. FFmpeg is supported by VLC Media Player and Google Chrome.
See the following for more information about the vulnerability.
FFmpeg arbitrary file read vulnerability
FFmpeg can handle the HLS playlist, which contains references to external files. Attackers can use the GAB2 caption block in a crafted .avi file to upload the .avi video to the target site using FFmpeg, and then use XBIN codec to obtain a local file from the video conversion website. For example, the attacker may view the
/etc/passwd file content, causing a leak of sensitive data.
Condition and method of exploitation
- FFmpeg 2.6.8
- FFmpeg 3.2.2
- FFmpeg 3.2.5
Check whether any affected version is used.
How to fix or mitigate
The latest version is 3.3.2. We recommend that you upgrade the software to the latest version.
Add the unsafe protocol types, such as
file://, to the blacklist, preventing the high-risk files from being read.