How to infect video. Finding vulnerabilities in H.264 decoders

Modern video compression standards are a marvel of hidden complexity and the result of decades of scientific work. H.264 specification is about 800 pages of rules that define how to decode the video. But the more complexity, the higher the security risks, it is easier to miss an error in a bitstream that is too difficult to understand and decode.

If you look at the decoding ecosystem, then tools at several levels work together here from hardware accelerators on the CPU and GPU (list of hardware decoder manufacturers), drivers and privileged software components. Together, they form a complex heterogeneous cocktail of privileged, practically untestable and vulnerable code.

As a result, we are getting closer to the fact that viruses can be quietly integrated into videos and distributed through popular video platforms, exploiting vulnerabilities in hardware decoders on smartphones and software decoders in browsers on PCs.


A group of researchers Willy R. Vasquez, Stephen Checkoway and Hovav Shacham from the University of Austin (USA) and Oberlin College (USA) set out to study the security of modern video distribution infrastructure, and specifically, video decoders H .264 as the most popular video format today. They developed a special framework H26Forge to parse, generate and manipulate syntactically correct but semantically non-standard videos. Such videos formally correspond to the H.264 format, but cause various failures in the operation of decoders.



Rice. 1. H26Forge architecture (30,000 lines of Rust code)

Using this framework, the researchers found a number of bugs in the H.264 decoding system on various platforms, including kernel memory corruption on iOS, memory corruption in Firefox and VLC on Windows, and bugs in video accelerator memory and processor core application memory in several Android devices. .



Rice. 2

All vulnerabilities are officially documented in bulletins CVE-2022-3266, CVE-2022-32939, CVE-2022-42846, CVE-2022-42850 And CVE-2022-22675.

The H.264 codec works by finding similarities between video frames and encoding that information, then sending instructions on how to recreate the image at the endpoint. These instructions are known as syntax elements, and the meanings they take are called semantics. Values ​​are entropy encoded using algorithms such as exp-Golomb, CABAC, or CAVLC.

Here are some H.264 syntax elements:

By changing the listed parameters, you can manipulate the behavior of the decoder so that it reads memory outside the allocated array. For example, the following illustration schematically shows the vulnerability exploitation mechanism CVE-2022-22675.



Rice. 3. Exploitation of the CVE-2022-22675 vulnerability. On the left is the properly ordered H.264 bitstream read from top to bottom, and on the right is the decoded content in memory as it fills up. The second line forces the rewriting of PPS with the value num_ref_idx_ l0_active_minus1, which eventually leads to writing to memory a value of arbitrary length by adjusting the offset in each subsequent fragment, writing the values ​​in reverse order. The code for exploiting the vulnerability is published in Listing 2 on pp. 17–18

The results of the work are presented in scientific articleand in a more popular form published in mastodon thread one of the authors.

New virus distribution channel

You can remember what a security hole for the entire computer infrastructure was Adobe Flash, integrated into all browsers and operating systems through plug-ins. In fact, the same monolithic plug-in was installed on all computers in the world – and this made it an attractive target for hacking. The only 0day vulnerability opens all doors for attackers.

There is a danger that H.264 codecs will become the same universal master key for attackers, and the spread of viruses will begin through YouTube and other popular video platforms – and through vulnerabilities in browser decoders.

Rice. 4. Vulnerability CVE-2022-3266 with reading memory from outside the allocated range during incorrect software rendering of video in the Firefox browser (fixed in version 105). Implemented by reducing the SPS value in the H.264 frame, which broke the decoder

Although in practice we have not yet seen such massive attacks, the video ecosystem on the Internet is already ripe for a new type of virus, the researchers say. On the HN forums They saythat the color ripples in the video as a mass infection are the closest thing to the classic “avalanche” (snowcrash) that we remember from the cult cyberpunk work of Stevenson, who coined the concept of “Metaverse” in 1992.

Note. The vulnerabilities listed in this article have been fixed in the latest versions of iOS, VLC, and Firefox. Manufacturers of H.264 hardware decoders for smartphones have been notified of the issue. The authors note that similar vulnerabilities are also present in H.265 decoders, but the developed H26Forge framework is not able to generate video sequences for their exploitation.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *