Players and Codecs Come Under Hacker Scrutiny
Thiel also hit one of the obvious questions head-on. In a slide labeled "Why This Matters," he pointed out that streaming media shares four highly vulnerable tendencies:
1. It is omnipresent and is always on. In other words, the benefit of streaming media’s success has the potential to raise interest in using it to deliver malicious code. In some codecs and delivery systems, the download of a streaming file cannot be stopped and continues to download in the background, which is beneficial from a playback standpoint but exposes a potentially exploitable path into a playback device.
2. Content is shared around the web, and the passing of content between parties yields a potential for insertion of malicious code if no systems are in place to verify data is actually video or audio content.
3. Most content comes from "untrusted" or anonymous sources. According to Thiel, few think to refrain from playing "untrusted media," and most browsers or players are set up to play content immediately upon launch.
4. The richness of the applications. Thiel points out that "media playback software is almost by definition excessively functional and does tons of parsing." The parsing, while required, is an area in which known code library vulnerabilities can be exploited. This often has nothing to do with the application itself, but provides another entry into the application to trick it into thinking it’s downloading video or audio content when it’s actually downloading malicious code.
Thiel goes on to say that the area of codec and player exploitation has been historically underexplored, as modern codecs are designed to be resistant to corruption. Most exploits thus far have been simple attacks on players using long playlists and URL names, and there have been few attacks using media files themselves and even fewer targeting things on the codec level. The security community, according to Thiel, knows that general fuzzing wouldn’t work, so the watch is on for a targeted fuzzing tool that would focus on key codecs.
Thiel also pointed out, in classic "white hat" hacking form, what could be exploited so that codec and media player companies could check their code. Two key areas of vulnerability are content metadata and frame data.
For content metadata—such as ID tags, album art, comments, lyrics sections, etc.—Thiel notes that many types allow arbitrarily large content, so this is a great place to store shellcode with plenty of "cushion."
For frame data, Thiel mentions that the most interest lies in the frame header, since it contains structural data describing overall file layout, including sample rate, number of frames, frame size, and channels. He also noted that streaming media can contain "multiple types of frame headers in a file, especially in the case of container formats."
Thiel closed the session by noting that "certain other prominent commercial players have what appear to be exploitable bugs [that have] no patch as of yet" but he deferred naming the players until a time later this month when an updated version of the Fuzzbox multi-codec fuzzing tool will be released on the iSEC Partners site.