|
|
|
|
|
|
by dkh
2014 days ago
|
|
|
The best ffmpeg-based video platform exploit I've ever seen was this one [1] where a user could upload a specially-doctored video to your YouTube-esque platform and while encoding it would trick ffmpeg into reading system files on the server and baking them into the encoded output. Literally the hacker would upload a video, wait for it to encode, and then once it was available for viewing on the website, they'd be looking at a video containing the text from `/etc/passwd` or your envvars or some secrets file or whatever. Yes, most encoding services are very well-sandboxed and even when our tiny streaming platform at the time got hit by this when it was first appeared a few years ago, it was a non-issue because there was nothing valuable or compromising on the encode servers for them to read. (I think Ubuntu AppArmor stopped it dead in its tracks on its own, anyway.) [0] https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMx... |
|
|