Viral Video - Exploiting SSRF in Video Converters

Black Hat USA 2016

Presented by: Nikolay Ermishkin, MaximAndreev
Date: Wednesday August 03, 2016
Time: 16:20 - 17:10
Location: South Seas CDF

Many web applications allow users to upload video - video/image hostings, cloud storages, social networks, instant messengers, etc. Typically, developers want to convert user uploaded files into formats supported by all clients. The number of input formats is very big, so developers use third- party tools/libraries for video encoding. The most common solution in this area is ffmpeg and its forks. ffmpeg by default supports many different formats, including playlists (files with a set of links to other files). In this Briefing, we will examine exploitation of SSRF in hls (m3u8) playlists processing. Video processing is frequently done in clouds, which by design is more vulnerable to SSRF attacks, and playlists support many different protocols (http, file, tcp, upd, gopher ...), so SSRF in playlist processing can be very critical and even lead to full service takeover.

We will show how implementation details of hls playlists processing in ffmpeg allow reading files from the video conversion server, with and without network support. We will show how SSRF in video converter can give full access to service based on cloud like Amazon AWS. We will also present our tool for the detection and exploitation of this vulnerability. We will show a truly "viral" video which could perform successful attacks on Facebook, Telegram, Microsoft Azure, flickr, one of Twitter services, Imgur and others.

Nikolay Ermishkin

Nikolay Ermishkin is an information security analyst at Mail.ru Group. He hasparticipated in different bug bounties and CTFs. He is currently apostgraduate student.

MaximAndreev

Maxim Andreev is a software developer in cloud.mail.ru. He has at spoken oninformation security at several conferences. He has also participated inseveral CTFs.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats