Opened 7 years ago

Closed 7 years ago

#5994 closed defect (fixed)

Heap-overflow in rtmppkt.c results Remote Code Execution

Reported by: Paul Ch Owned by:
Priority: critical Component: avformat
Version: git-master Keywords: rtmp crash regression
Cc: Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Summary of the bug:
We managed to find and successfully exploit critical security bug in libavformat/rtmppkt.c that results Remote Code Execution in latest version of FFmpeg.

Prerequisites:

  • Attacker has to reproduce SSRF bug and send RTMP request to his remote host. There are multiple ways of doing this already described all over the Internet. (For ex. you can trigger SSRF using HLS playlists or the way I described earlier in this ​ticket ).
  • For full exploitation knowledge of FFmpeg binary is required.

Overview:
Main issue is contained inside rtmp_packet_read_one_chunk function. Size of each packet is being read using AV_RB24 each time the packet has been received. If packet with such channel_id does not exist it creates new one using ff_rtmp_packet_create. Inside ff_rtmp_packet_create space gets allocated using av_realloc using size variable. Later toread value is computed which really means toread = FFMIN(value, 0x80) ) and passed to ffurl_read_complete function. If size value is still more than zero we have to read once more. Next time we can send another size value and it is not being checked that is different from the previous one, so more bytes have been read than size of the current packet.

Steps to reproduce:

I am attaching PoC file that reproduces the simple crash. Steps to reproduce bug:

$ python rtmp_poc.py &
$ ffmpeg -v trace -i rtmp://localhost:12345/
$ gdb -q ./ffmpeg_g
(gdb) r -v trace -i rtmp://localhost:12345/

I am also attaching gdb stack-trace.

Recommended fix:

Checking that the size has not been changed from one chunk to another would do it.

Final words:
Our team plans to release full exploit and blogpost with full details on exploitation in 30 days or as soon as you patch vulnerability.
Contact me if you need more details on vulnerability.

Attachments (2)

rtmp_gdb.txt (2.6 KB ) - added by Paul Ch 7 years ago.
gdb stack trace
rtmp_poc.py (1.3 KB ) - added by Carl Eugen Hoyos 7 years ago.
PoC

Download all attachments as: .zip

Change History (5)

by Paul Ch, 7 years ago

Attachment: rtmp_gdb.txt added

gdb stack trace

comment:1 by James, 7 years ago

Again, please, report vulnerabilities to ffmpeg-security@ffmpeg.org

comment:2 by Carl Eugen Hoyos, 7 years ago

Keywords: rtmp crash regression added
Reproduced by developer: set
Status: newopen

Regression since 4131a3cb.

by Carl Eugen Hoyos, 7 years ago

Attachment: rtmp_poc.py added

PoC

comment:3 by Carl Eugen Hoyos, 7 years ago

Resolution: fixed
Status: openclosed
Note: See TracTickets for help on using tickets.