Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Bug Open Source IT

Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely 72

prisoninmate writes: A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently by Russian programmer Maxim Andreev in the current stable builds of the software. It appears to let anyone with the necessary skills hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file. Arch Linux devs already rebuilt their FFmpeg packages without the AppleHTTP and HLS demuxers.
This discussion has been archived. No new comments can be posted.

Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely

Comments Filter:
  • Very wide impact. (Score:5, Informative)

    by Anonymous Psychopath ( 18031 ) on Thursday January 14, 2016 @06:47PM (#51303793) Homepage

    Ffmpeg is used in some capacity in just about every video application I can think of. VLC, Kodi/XBMC, MythTV, Handbrake, Plex...

    • And in Google Chrome, because i compiled it myself for Chromium
    • by Anonymous Coward

      Even worse, Firefox can use FFMPEG for playing HTML5 Video.

      I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

      • Re:Very wide impact. (Score:5, Informative)

        by dissy ( 172727 ) on Thursday January 14, 2016 @08:14PM (#51304283)

        I think I'm going to remove the package until a new, fixed version comes out, or at least detailed information on how to migrate the vulnerability until a fix comes along.

        The article suggests a mitigation, however it sounds like it may just be easier to remove the package until your upstream provides updates...

        James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.
        It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.

        A commenter in the arch bug report listing also says:

        Btw, one could also do --disable-demuxer='hls,applehttp', but rebuilding without network support looks like a more robust solution for now (until the issue is inspected and fixed upstream).

        https://bugs.archlinux.org/tas... [archlinux.org]

        My understanding is the specific bug reported in russian is exploited via HLS, however it is unconfirmed if the same method could be used and exploited in other network stream demuxers yet.

    • Re:Very wide impact. (Score:5, Interesting)

      by fluffernutter ( 1411889 ) on Thursday January 14, 2016 @09:05PM (#51304489)
      But the question is, how easy is it to end up playing a 'specially crafted file' if you're playing video in VLC or Kodi? I mean, understood that any website could have an ad video that plays and opens up this connection but what is the reality of the risk for standalone players?
    • OTOH it's installed in far fewer places than people think. A hell of a lot of installations are of libav, where the CLI interface avconv has been softlinked with ffmpeg as an alias.

      Given the shared heritage between the two, I'd be curious to know whether the vulnerabilities are in both avconv and "original" ffmpeg.

    • Yup, and I have multiple machines that use these services... Uh oh.
  • by Anonymous Coward

    Does ffmpegs fork have the bug as well?

  • of millions of devleopers and users screaming in terror all at once...

    I feel something terrible has happened...

  • FFmpegd (Score:2, Funny)

    by Anonymous Coward

    Don't worry, Lennart is busy trying to absorb FFmpeg into systemd. Once there's some Poettering shitcode in FFmpeg, it'll cease to work at all and the vulnerability will have been neutralized.

    • no, upon fault the Poettering systemd FFmpeg code will go backwards, playing the movie to the start, reset all audio settings to default, and then double-clicking the movie file in your gui to replay it again

    • Note to self: prepare to add media-video/ffmpeg to the Anti-Lennartware section of /etc/paludis/package_mask.conf!

      (Disclaimer: I haven't used systemd yet, kind of been meaning to so I can also play around with KVM at the same time, but I completely believe the horror stories based on my experience with pulseaudio.)

      • by caseih ( 160668 )

        I've had systemd running on my linux machines for years now. Just seems to work and I am much happier to create a simple ini file to start a custom daemon than to mess with horrid, buggy, complex, and fragile init scripts.

  • This is news! A new critical zero-day vulnerability affecting millions of computers.

    And here we thought drm free video files were safe.

    Whelp another good reason to have a decent firewall.

    • by Anonymous Psychopath ( 18031 ) on Thursday January 14, 2016 @07:12PM (#51303977) Homepage

      Whelp another good reason to have a decent firewall.

      Once you put a malformed video file on a system with a vulnerable ffmpeg, and ffmpeg is used to access the file, it makes an outbound connection. Most firewalls are configured to happily pass along anything originated from the inside network.

      • by suutar ( 1860506 )

        a well-and-paranoidly-configured firewall, then :)

      • by sims 2 ( 994794 )

        Personally I don't like tinywall because it doesn't ask me about everything like zonealarm did but its a fraction of the size. I have vlc installed but I have never used it for streaming as such its has never been given permission through the local firewall. But yes if you use it to stream video you would most likely have it set to always allow. I don't know widely used it is for streaming but I personally haven't used it to stream video in the last what 5 years or so.

        And yes this requires the user to at mi

      • Yet another reason to block this crap at the hosts file. And to update it frequently.

  • WTF (Score:5, Funny)

    by edittard ( 805475 ) on Thursday January 14, 2016 @07:21PM (#51304029)

    Submitted by prisoninmate. Presumably he's in for crimes against the English language.

    He's certainly familiar with really long sentences.

  • To the people who found this wide and deep issue.
    Any news to who could be using the ability to create and track media files in the wild?
    Time to alter the out going software firewall :)
  • by Anonymous Coward

    instead of contacting developers he:

    • 2015-10-22 talked about this on mail.ru security meetup
    • 2015-11-03 posted slides from meetup
    • 2016-01-12 posted detailed exploit instructions

    only then he contacted developers on 2016-01-13...

  • And safe! And bugless! and . . . . .

How many weeks are there in a light year?

Working...