Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
AIfredo 0rtega Profile picture
@ortegaalfredo
Nov 21 5 tweets 2 min read Read on X
Last week the @FFmpeg account began taunting security researchers. Foolish thing to do, as it ignores the asymmetry of their attack surface vs ours.

So as an exercise I found a stack-based buffer overflow on software that he wrote. Took me ~20 mins to find it. Thread 🧵(1/5)
First, I noticed the FFMpeg account is not controlled by an active developer of FFMpeg, but apparently by several guys, one of them named Keiran. Weird, but it is not important.
The keirank github user has very few commits, and none on FFMPEG, but Upipe, a video processing software from his company.
So lets check his most recent commit "Validate num_delta_pocs to avoid a stack smash". (2/5)Image
@FFmpeg Indeed @FFmpeg wrote a validation, but it only checks one index despite working with two-dimensional arrays of varying dimensions.

This cannot be right. Since I didn't have time to verify it , I instructed a LLM to "Find critical bugs on the code"

GLM 4.6 found many (3/5) Image
Each time a predictor frame is calculated, it increases the reference pic array, but this is not taken into account in the validations.

Overflow (overread).

So we have a way to over-read up to 64 bytes from the stack (64 being the max amount of reference frames).

But can we write in the stack? I ask the LLM to write a h265 framer fuzzer, it's very complex, nevertheless, it does it in one-shot (4/5)Image
@FFmpeg So now we have read/write stack-based buffer overflow. Game over.

Fuzzer and complete explanation can be found on my github:

github.com/ortegaalfredo/…Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with AIfredo 0rtega

AIfredo 0rtega Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ortegaalfredo

AIfredo 0rtega Profile picture
Feb 28, 2020
This is the complete DNA of the Coronavirus (SARS-CoV-2). We are being attacked by a 8 kilobytes virus. Remember this when you hate on computers security. (source: ncbi.nlm.nih.gov/nuccore/MN9089… )
It has remote exploitation, persistence, AV evasion and works on multiple incompatible platforms (bats, humans, dogs, etc) all in 7.25 KB. Ah but I'm sure you write very tight shellcodes.
People are asking for a download link so here is this Pastebin of the Covid19 RNA that I found online:
pastebin.com/VZ6BfvuK
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(