Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines

Softpedia ^ | Jan 13, 2016 22:03 GMT | Marius Nestor

[Utilizer]

A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, was unveiled recently.

The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev in the current stable builds of the FFmpeg software, and it would appear that it allows anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.

The vulnerability is limited to reading local files and sending them over the network, not to remote code execution, but it's enough to do some damage. The FFmpeg developers are aware of the issue, and they are trying to patch it as we speak. James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.

[Utilizer]

FFmpeg vulnerability affecting several OSs', already patched in Arch Linux.

Linux coders and security pros are the best!

[steve86]

Already patched in SUSE.

[Ghost of SVR4]

Thanks for posting...

[Utilizer]

Great news! Thanks. :)

[Utilizer]

No worries. :)

[Utilizer]

Note that this affects ‘nix, ‘doze, and mac machines, according to the article.

[proxy_user]

“....a specially crafted video file.”

Disguised as free porn, no doubt. They won’t have any trouble getting guys to download it.

[TXnMA]

FYI ping...

[Swordmaker]

If you are not using FFmpeg, you shouldn't be vulnerable to this exploit, because you wouldn't have the codexes needed to decode the files.

"FFmpeg is a free software project that produces libraries and programs for handling multimedia data. FFmpeg includes libavcodec, an audio/video codec library used by several other projects, libavformat, an audio/video container mux and demux library, and the ffmpeg command line program for transcoding multimedia files. FFmpeg is published under the GNU Lesser General Public License 2.1+ or GNU General Public License 2+ (depending on which options are enabled).[6]

FFmpeg is developed under Linux, but it can be compiled under most operating systems, including Mac OS X, Microsoft Windows, as well as AmigaOS and its heir MorphOS. Most computing platforms and microprocessor instruction set architectures are also supported, like x86 (IA-32 and x86-64), PPC (PowerPC), ARM, DEC Alpha, SPARC, and MIPS.[7]

Most Mac users are already well covered with players that handle any multimedia files they may run into so are unlikely to download another multimedia file handling system.

After reading the information on it, I don't believe I am going to even ping the Apple Ping list for this one. . . it's a pretty geeky thing. It requires an active decision to install a player or codex that utilizes this file format.

[Swordmaker]

Note that this affects ‘nix, ‘doze, and mac machines, according to the article.

I think you missed something. From the first paragraph of the article:

"A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, was unveiled recently."

[Utilizer]

Ah... “’doze” is coder-speak in certain circles for “Windows”, and I usually define it as such.

Cheers.

[dayglored]

Doze == Windows. I’ll ping it in the morning when I’m at my regular box.

[Swordmaker]

Sorry fellows, I have had a long day at work, and am pooped. Slipped right by me. I had left a new Mac doing a migration over night and a power failure in the storms exceeded the Uninterruptible Power Supply it was connected to, so re-migrating this morning had some REALLY interesting consequences I've never seen before. Apparently the interruption occurred at a VERY bad time. It resulted after the second migration with TWO copies of each user folder, but only one capable of being logged into, however files readable from both, but opening a file in the login user folder, were saved to the non-login user folder, and vice-verse. It played havoc with things like our bookkeeping software. It seemed to switch off every other time as to which one would be opened from the short-cut alias on the desktop of the bookkeeping software, so entries done the previous time opened would be missing on the next opening, but back on the second opening! It took some real noodling to figure out what kind of BLACK MAGIC was going on that would cause that . . . and why the email was totally screwed up in each user's folder.

Add to that that the second identical user folder from the failed, interrupted migration was INVISIBLE due to never completing the migration, but only visible via the Terminal. . . Fun. Apparently the file pointers were totally screwed up. . .

The solution was to delete both duplicate user folders AFTER I found the amazing invisible files, and re-migrate the users. . . but figuring out WHY there was a problem caused me to lose some hair which I prefer to keep on my head. Once that was done, everything was copacetic again.

I gotta say that the Fusion Drive on this new iMac is FAST! The Mac Boots from a cold state in about three seconds and opens a user in about two.

[Utilizer]

Right, then. Take care. :)

[Utilizer]

Sounds like an interesting day. Relax, and feel free to return to this thread when the thought next arrives. Might have more info and fixes in by tomorrow then.

[Utilizer]

Already happening...

[TChad]

11-16-2015: "Firefox 43 to Use FFmpeg by Default on Linux":

http://news.softpedia.com/news/firefox-43-to-use-ffmpeg-by-default-on-linux-496213.shtml

[ShadowAce]

[dayglored]

Using the FFmpeg video decoder? Check this out ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to Swordmaker and Utilizer for the ping!!

[GOPJ]

Thanks