Heap-overflow in http.c results Remote Code Execution
|Reported by:||Paul Ch||Owned by:|
|Version:||git-master||Keywords:||http crash SIGSEGV|
|Blocking:||Reproduced by developer:||yes|
|Analyzed by developer:||no|
Summary of the bug:
We managed to find and successfully exploit critical security bug in libavformat/http.c that results Remote Code Execution in latest version of FFmpeg.
Attacker has to reproduce SSRF bug and send HTTP request to his remote host. There are multiple ways of doing this already described all over the Internet. (For ex. you can trigger SSRF using HLS playlists or the way I described earlier in this ticket ).
libavformat/http.c supports different types of HTTP responses, one of them is "Transfer-Encoding: chunked". Because int64_t type is used to store size of the chunk and strtoll function to parse the value of next chunk size it is possible to pass negative value and it will be successfully stored in chunksize variable. Later FFMIN function is used to determine final size of chunk and now it turns negative and it is passed to http_buf_read function. Inside http_buf_read function our negative value is assigned to len variable and passed as argument to memcpy which results a crash.
Steps to reproduce:
I am attaching PoC file that reproduces the simple crash. Steps to reproduce bug:
$ python http_poc.py & $ ffmpeg -v trace -i "http://localhost:12345/1.avi" 1.avi $ gdb -q ffmpeg_g (gdb) r -v trace -i "http://localhost:12345/1.avi" 1.avi
I am also attaching gdb stack-trace.
The best fix for that should be completely rewrite http parser, because some sneaky bugs still can be found there. Good example of http parser can be found here, it is implemented with finite-state machine.
But for now simple quick fix could be making chunksize unsigned long long.
Our team is planning to release full exploit and blogpost with full details on exploitation in 30 days or as soon as you patch vulnerability.
Contact me if you need more details on vulnerability.
Change History (8)
comment:1 by , 7 years ago
|Summary:||Heap-overflow results Remote Code Execution → Heap-overflow in http.c results Remote Code Execution|
follow-up: 5 comment:4 by , 7 years ago
|Keywords:||http crash SIGSEGV added|
|Reproduced by developer:||set|
|Status:||new → open|