I want to share with you one of my favorite Youtube channels that goes trough different hacking challenges. In one of it’s last videos LiveOverFlow gives details about a vulnerability discovered by his Paul Cher and his friend Emil Lerner who fuzzed FFmpeg and found several new vulnerabilities. I did a previous post about how to use FFmpeg to download a video from protected TV channel Replay website and as I already worked with this tool previously to build a video multiplexer on the fly so I found it interesting to share with you this Video and Podcast from LiveOverFlow.
The vulnerability here is in the HTTP protocol re-written for FFmpeg where content-length (using the Transfer-encoding:chunked format that allows to send the value of the length and than the content) is set to a negative integer witch causes a Segmentation fault. That will stop FFmpeg from executing on the target server.
This error was found using the Fuzzing method. By fuzzing the FFmpeg network protocols Paul Cher (using magic fuzzing technics called AFL) was able to reveal segmentation fault. Then he had to find what was causing this segmentation fault by debugging the actual FFmpeg. Here the main think was to rebuild FFmpeg with ASAN Addresssanetizer to detect memory corruption [here a Head overflow buffer overflow recognizable to the fa output in red]. Also to navigate trough the code Paul is using Ctags (reference in bottom).
Protocols are a good target
Capture The Flag competitions
Paul Cher tells LiveOverFlow that the best way he introduced himself to reverse engineering hacking is trough Capture The Flags challenges such as challenges from https://ctftime.org/
New tools to play around with code
AddressSanitizer (or ASan) is an open source programming tool by Google that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free).
Ctags is a C programmer tool that generates an index file of names found in source and header files of various programming languages.
Update:
A new video came out with more details on how the heap overflow happened.
