edit-icon download-icon

[Vulnerability notice] Arbitrary file read vulnerability in FFmpeg

Last Updated: Apr 02, 2018

Recently, WhiteHat announced an FFmpeg vulnerability on HackerOne. This vulnerability uses the HLS playlist of FFmpeg to expose local files. The PoC has been published, and the security risk level is high. To ensure normal running of services and prevent data leak, check for the vulnerability and upgrade the software as soon as possible.

FFmpeg is a free multimedia framework that supports recording, conversion, and streaming for the audio and video in multiple formats. It allows users to access almost all formats of video, such as .mkv, .flv, and .mov. FFmpeg is supported by VLC Media Player and Google Chrome.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

FFmpeg arbitrary file read vulnerability

Vulnerability rating

High

Vulnerability description

FFmpeg can handle the HLS playlist, which contains references to external files. Attackers can use the GAB2 caption block in a crafted .avi file to upload the .avi video to the target site using FFmpeg, and then use XBIN codec to obtain a local file from the video conversion website. For example, the attacker may view the /etc/passwd file content, causing a leak of sensitive data.

Condition and method of exploitation

Remote exploitation.

Affected scope

  • FFmpeg 2.6.8
  • FFmpeg 3.2.2
  • FFmpeg 3.2.5

Vulnerability detection

Check whether any affected version is used.

How to fix or mitigate

  • The latest version is 3.3.2. We recommend that you upgrade the software to the latest version.

  • Add the unsafe protocol types, such as file://, to the blacklist, preventing the high-risk files from being read.

Reference

[1]. http://www.freebuf.com/vuls/138377.html
[2]. https://hackerone.com/reports/242831

Thank you! We've received your feedback.