Hacker News new | ask | show | jobs
by dpe82 226 days ago
I'm certain it's happened but since I don't have one off the top of my head I'll instead point out a related issue: https://en.wikipedia.org/wiki/Stagefright_(bug)

It's worth pointing out that many, many, many things use the libav* library family.
1 comments
brigade 226 days ago
Yes, I know that multimedia/image vulnerabilities are popular vectors for zero-click attacks. My point is that desktop players are not a vector for zero-click attacks, and ffmpeg has not generally been used in end-user situations that are targets of zero-click or drive-by attacks. Mostly because of the license, but still.

If the exploit chain involves the user downloading and opening a file, something like >99% of the time the next step already involves executable code (or Office macros), which makes any ffmpeg vuln completely useless.

link
phil21 225 days ago
In a past life as a managed hosting provider ffmpeg exploits were used to gain access to systems.

It’s used for pretty much any platform you can upload video to. Some places far more competently than others.

link
brigade 225 days ago
See, I’d be interested in any actual evidence/writeups of that in the wild.
link
bawolff 225 days ago
In fairness, i dont think the majority of actual exploits used in the wild get writeups.

Budget web host using outdated software getting hacked because they havent updated in 2 years isn't exactly all that interesting of a blog post even if the victim knows enough to figure out what happened.

link
dpe82 226 days ago
Chrome uses ffmpeg's underlying libraries.

It's used way, way more than you think.

link
brigade 225 days ago
Yes, I’m quite familiar with that. Chrome is why I added the “generally” qualifier.

And to the best of my knowledge, there has not been any in-the-wild exploit against Chrome through the handful of ffmpeg codecs they enable. Not even pwn2own type competitions either, as I recall.

link
dpe82 225 days ago
I guess I'm confused - are you trying to imply the lack of a thorough, publicly reported successful exploit (or us just not casually giving you one that you care about) means that we're all released from the responsibility of taking potential exploits seriously?
link