Bug 1220545 (CVE-2023-6601)

Summary: VUL-0: CVE-2023-6601: ffmpeg,ffmpeg-4: HLS Unsafe File Extension Bypass
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gnome-bugs, stoyan.manolov, thomas.leroy
Version: unspecifiedFlags: stoyan.manolov: needinfo? (gnome-bugs)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395217/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6601:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-28 11:00:12 UTC 
FFmpeg Findings 2023.12.01
Overview
Included in this document are five (5) bugs in the open-source package ffmpeg. Internal CVSS 3.1 scoring for these bugs range from 3.9 to 7.2. Attribution for these findings: Harvey Phillips of Amazon Element55 (element55@amazon.com).

If the recipient of this notice (secalert@redhat.com) has any questions regarding these findings, please do not hesitate to contact us at element55@amazon.com.


I. HLS Unsafe File Extension Bypass
Affected Versions: 2.0 (at least) → 6.0 (latest)

There is a commit upstream which prevents this issue by enforcing a file extension check on HLS playlists. Currently, this commit is not in any FFmpeg release branch (6.0 being the latest).




Suggested CVSS 3.1: 3.9 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Summary
An instance of FFmpeg that does not enforce an input format can be tricked into bypassing the unsafe file extension check.


Impact
This issue makes it possible to construct arbitrary inputs from multiple sources and trigger arbitrary demuxers, possibly leading to exfiltration of unintended data.


Description
HLS Playlists can contain data:// URIs with base64 encoded file contents. By base64-encoding a valid media file and including it in the playlist in this way, an error will be thrown about an unsafe file extension. By adding =.mp4, or =.m3u8, etc to the end of the base64-encoded data this check will be bypassed. Any of the following file extensions will work: 3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav.
Example: without the appended =.m3u8:



[hls @ 0xaaaaeaec2140] Filename extension of 'data://text/plain;base64,WEJJThogABAAEAA=' is not a common multimedia extension, blocked for security reasons.
If you wish to override this adjust allowed_extensions, you can set it to 'ALL' to allow all
[hls @ 0xaaaaeaec2140] Failed to open segment 0 of playlist 0
[hls @ 0xaaaaeaec2140] Error when loading first segment 'data://text/plain;base64,WEJJThogABAAEAA='
input.mp4: Invalid data found when processing input

and after appending =.m3u8 to the data:// uri:



[hls @ 0xaaaafb613160] Opening 'data://text/plain;base64,WEJJThogABAAEAA==.m3u8' for reading
Reproduction
Example input:



#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1,
data://text/plain;base64,WEJJThogABAAEAAoDzEPKQ8gD0gPTA9TDyAPVQ9uD3MPYQ9mD2UPIA9GD2kPbA9lDyAPRQ94D3QPZQ9uD3MPaQ9vD24PIA9CD3kPcA9hD3MPcw8=.m3u8
#EXT-X-ENDLIST

Trigger with ffmpeg -i input.mp4 output.mp4. Playing output.mp4 will show the text (1) HLS Unsafe File Extension Bypass.


Remediation
Anything after either the padding (=) or first non-base64 character should be discarded before the check is performed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6601
https://bugzilla.redhat.com/show_bug.cgi?id=2253172