Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines

[Batu69]

Allows attackers to get files from your server or PC

A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, was unveiled recently.

The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev in the current stable builds of the FFmpeg software, and it would appear that it allows anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.

The vulnerability is limited to reading local files and sending them over the network, not to remote code execution, but it's enough to do some damage. The FFmpeg developers are aware of the issue, and they are trying to patch it as we speak. James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.

"ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file - for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected," reads an Arch Linux bug report submitted today.

Already patched in Arch Linux

We've been informed earlier today, January 13, 2016, that Arch Linux developers have already patched the FFmpeg 2.8.4 packages in the operating system by rebuilding them without the AppleHTTP and HLS demuxers. Therefore, all Arch Linux users are urged to update their FFmpeg packages to version 2.8.4-3. It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.

We will update the article later today or tomorrow, when the FFmpeg team releases a patch or a new version of the software. Other GNU/Linux distributions should also rebuild the FFmpeg packages available in the default software repositories using the method explained above. All operating systems that use FFmeg 2.8.4 or previous versions are affected.

Article source

[steven36]

HTML5 , Flash , Smart TV  and now FFmpeg can be exploited  its not safe to stream  at all any more 

[steven36]

Linux Mint  17 x  uses libav-tools   a replacement for ffmpeg only way you have ffmpeg in it is if  you installed  it   via ppa

 

Alexander Drozdov  Qt Creator pushed  out a  patched  build  i managed  to uninstall  14.04  from  Doug McMahon and replace it with Alexander Drozdov's  14.04  patch build

Quote

 

* Bump version
  * Disable protocols 'concat' and 'hls' and demuxer 'hls' due to issue with
    users data leak.

 

https://launchpad.net/~adrozdoff/ archive/ubuntu/ffmpeg-opti

https://launchpad.net/~adrozdoff/ archive/ubuntu/ffmpeg-opti/ packages

 

From what i read this  its not  a really a  0day  they just took the same bug and exploited even more and its much worse .  There's 100s of apps  on Linux , Mac  and windows this effects.

https://www.reddit.com/r/netsec/comments/410k7g/zeroday_ffmpeg_vulnerability_lets_anyone_steal/

 

List  of ffmpeg projects

https://trac.ffmpeg.org/wiki/Projects

 

[I wanna know]

What operations system does this account for?

[steven36]

Just now, I wanna know said:

What operations system does this account for?

Windows , Linux  and Mac  and 100s of apps that you install on the systems .