CVE-2023-6601 is a security vulnerability in FFmpeg's HLS (HTTP Live Streaming) demuxer. This flaw allows threat actors to bypass unsafe file extension checks and trigger arbitrary demuxers by appending base64-encoded data URIs with specific file extensions. Since FFmpeg is a widely used multimedia library, this vulnerability has a broad impact and should be treated with high priority.
In this post, we will discuss details about the issue, provide a code snippet showing the vulnerability, and mention the original references.
Vulnerability Details
The vulnerability lies in the HLS demuxer's handling of file extensions and how it decides which demuxer to use. The issue arises when base64-encoded data URIs combined with specific file extensions are used to bypass unsafe file extension checks and trigger arbitrary demuxers.
The HLS demuxer reads metadata from a playlist file (M3U8) to determine which demuxer it should use; however, by appending a base64-encoded data URI with a specific file extension like ".mov," an attacker can bypass these checks and exploit the vulnerability.
Here is an example showing how to create a playlist file triggering the vulnerability
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:
#EXTINF:1,
data:video/mp4;base64,...payload...;.mov
This playlist file contains a base64-encoded MOV payload that, when processed by the vulnerable HLS demuxer, will bypass file extension checks, allowing an attacker to execute the arbitrary demuxer.
Exploitation
A successful exploitation of this vulnerability could lead to various outcomes such as memory corruption, information disclosure, or denial of service (DoS) attacks. It's crucial to become aware of this issue and apply the necessary security patches to mitigate the risk posed by CVE-2023-6601.
The issue was initially reported through the following references
1. FFmpeg: Official Security Advisory
2. NVD - CVE-2023-6601
3. Original Mailing List Post
Conclusion
CVE-2023-6601 demonstrates the importance of validating user inputs, file extensions, and data integrity checks. This vulnerability in FFmpeg's HLS demuxer serves as a reminder that even widely used, highly regarded multimedia libraries can contain security issues.
Companies and individuals relying on FFmpeg should continuously stay updated on potential vulnerabilities and apply security patches released by the official developers.
Timeline
Published on: 01/06/2025 17:15:14 UTC