Viral Video - Exploiting SSRF in Video Converters

Presented at Black Hat USA 2016, Aug. 3, 2016, 4:20 p.m. (50 minutes).

Many web applications allow users to upload video - video/image hostings, cloud storages, social networks, instant messengers, etc. Typically, developers want to convert user uploaded files into formats supported by all clients. The number of input formats is very big, so developers use third-party tools/libraries for video encoding. The most common solution in this area is ffmpeg and its forks. ffmpeg by default supports many different formats, including playlists (files with a set of links to other files). In this Briefing, we will examine exploitation of SSRF in hls (m3u8) playlists processing. Video processing is frequently done in clouds, which by design is more vulnerable to SSRF attacks, and playlists support many different protocols (http, file, tcp, upd, gopher ...), so SSRF in playlist processing can be very critical and even lead to full service takeover. We will show how implementation details of hls playlists processing in ffmpeg allow reading files from the video conversion server, with and without network support. We will show how SSRF in video converter can give full access to service based on cloud like Amazon AWS. We will also present our tool for the detection and exploitation of this vulnerability. We will show a truly "viral" video which could perform successful attacks on Facebook, Telegram, Microsoft Azure, flickr, one of Twitter services, Imgur and others.

Presenters:

  • Nikolay Ermishkin - Mail.ru Group
    Nikolay Ermishkin is an information security analyst at Mail.ru Group. He has participated in different bug bounties and CTFs. He is currently a postgraduate student.
  • Maxim Andreev - Mail.ru Group
    Maxim Andreev is a software developer in cloud.mail.ru. He has at spoken on information security at several conferences. He has also participated in several CTFs.

Links:

Similar Presentations: