Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
Modern video compression standards are a marvel of hidden complexity and the result of decades of research. The H.264 specification is about 800 pages of rules defining how to decode video. But the more complexity, the higher the security risks, as it is easier to miss an error in a bitstream that is too difficult to understand and decode.
If you look at the decoding ecosystem, you will see that there are tools working together at several levels, from hardware accelerators on CPUs and GPUs (list of hardware decoder manufacturers), drivers, and privileged software components. Together, they form a complex, heterogeneous cocktail of privileged, virtually untestable, and vulnerable code.
As a result, we are approaching the point where viruses can be seamlessly integrated into videos and distributed through popular video platforms, exploiting vulnerabilities in hardware decoders on smartphones and in software decoders in browsers on PCs.
A group of researchers Willy R. Vasquez, Stephen Checkoway, and Hovav Shacham from the University of Austin (USA) and Oberlin College (USA) set the goal of studying the security of modern video distribution infrastructure, and specifically, H.264 video decoders as the most popular video format today. They developed a special framework H26Forge for analyzing, generating, and manipulating syntactically correct, but semantically non-standard videos. Such videos formally correspond to the H.264 format, but cause various failures in the operation of decoders.
Fig. 1. H26Forge architecture (30,000 lines of Rust code)
Using this framework, researchers found a number of bugs in the H.264 decoding system on different platforms, including kernel memory corruption in iOS, memory corruption in Firefox and VLC on Windows, and GPU memory and CPU kernel application memory bugs in several Android devices.
Fig. 2
All the vulnerabilities are officially documented in CVE-2022-3266, CVE-2022-32939, CVE-2022-42846, CVE-2022-42850, and CVE-2022-22675.
The H.264 codec works by finding similarities between frames of a video and encoding that information, then sending instructions on how to recreate the image at the end point. These instructions are known as syntax elements, and the values they take are called semantics. The values are entropy-coded using algorithms such as exp-Golomb, CABAC, or CAVLC.
Here are some elements of the H.264 syntax:
By changing the listed parameters, it is possible to manipulate the decoder's behavior so that it reads memory beyond the allocated array. For example, the following illustration schematically shows the mechanism for exploiting the CVE-2022-22675 vulnerability.
Fig. 3. Exploitation of the CVE-2022-22675 vulnerability. On the left is a correctly ordered H.264 bitstream read from top to bottom, and on the right is the decoded content in memory as it fills. In the second line, PPS is forced to be overwritten with the value num_ref_idx_ l0_active_minus1, which ultimately leads to writing a value of arbitrary length to memory by adjusting the offset in each subsequent fragment, writing the values in reverse order. The code for exploiting the vulnerability is published in Listing 2 on pp. 17–18.
The results of the work are presented in a scientific article, and in a more popular form, they are published in the Mastodon thread of one of the authors.
One can recall what a security hole Adobe Flash was for the entire computer infrastructure, integrated into all browsers and operating systems through plugins. In fact, the same monolithic plugin was installed on all computers in the world - and this made it an attractive target for hacking. A single 0-day vulnerability opens all doors for intruders.
There is a danger that the same universal master key for intruders will become H.264 codecs, and the spread of viruses will begin through YouTube and other popular video platforms - and through vulnerabilities in browser decoders.
Fig. 4. CVE-2022-3266 out-of-bounds memory read vulnerability
in Firefox browser during incorrect software video rendering (fixed in version 105). Implemented by reducing the SPS value in the H.264 frame, which broke the decoder. Although we have not yet encountered such mass attacks in practice, the Internet video ecosystem is already ripe for a new type of virus, researchers believe. On the HN forums, they say that the colored ripples on the video as a mass infection are the closest thing to the classic "avalanche" (snowcrash), which we remember from the cult cyberpunk work of Stevenson, who came up with the concept of the "Metaverse" in 1992.
Note: The vulnerabilities listed in this article have been fixed in the latest versions of iOS, VLC, and Firefox. Manufacturers of hardware H.264 decoders for smartphones have been notified of the issue. The authors note that similar vulnerabilities are also present in H.265 decoders, but the developed H26Forge framework is not able to generate video sequences to exploit them.
Source
If you look at the decoding ecosystem, you will see that there are tools working together at several levels, from hardware accelerators on CPUs and GPUs (list of hardware decoder manufacturers), drivers, and privileged software components. Together, they form a complex, heterogeneous cocktail of privileged, virtually untestable, and vulnerable code.
As a result, we are approaching the point where viruses can be seamlessly integrated into videos and distributed through popular video platforms, exploiting vulnerabilities in hardware decoders on smartphones and in software decoders in browsers on PCs.
A group of researchers Willy R. Vasquez, Stephen Checkoway, and Hovav Shacham from the University of Austin (USA) and Oberlin College (USA) set the goal of studying the security of modern video distribution infrastructure, and specifically, H.264 video decoders as the most popular video format today. They developed a special framework H26Forge for analyzing, generating, and manipulating syntactically correct, but semantically non-standard videos. Such videos formally correspond to the H.264 format, but cause various failures in the operation of decoders.
Fig. 1. H26Forge architecture (30,000 lines of Rust code)
Using this framework, researchers found a number of bugs in the H.264 decoding system on different platforms, including kernel memory corruption in iOS, memory corruption in Firefox and VLC on Windows, and GPU memory and CPU kernel application memory bugs in several Android devices.
Fig. 2
All the vulnerabilities are officially documented in CVE-2022-3266, CVE-2022-32939, CVE-2022-42846, CVE-2022-42850, and CVE-2022-22675.
The H.264 codec works by finding similarities between frames of a video and encoding that information, then sending instructions on how to recreate the image at the end point. These instructions are known as syntax elements, and the values they take are called semantics. The values are entropy-coded using algorithms such as exp-Golomb, CABAC, or CAVLC.
Here are some elements of the H.264 syntax:
By changing the listed parameters, it is possible to manipulate the decoder's behavior so that it reads memory beyond the allocated array. For example, the following illustration schematically shows the mechanism for exploiting the CVE-2022-22675 vulnerability.
Fig. 3. Exploitation of the CVE-2022-22675 vulnerability. On the left is a correctly ordered H.264 bitstream read from top to bottom, and on the right is the decoded content in memory as it fills. In the second line, PPS is forced to be overwritten with the value num_ref_idx_ l0_active_minus1, which ultimately leads to writing a value of arbitrary length to memory by adjusting the offset in each subsequent fragment, writing the values in reverse order. The code for exploiting the vulnerability is published in Listing 2 on pp. 17–18.
The results of the work are presented in a scientific article, and in a more popular form, they are published in the Mastodon thread of one of the authors.
New channel for the spread of viruses
One can recall what a security hole Adobe Flash was for the entire computer infrastructure, integrated into all browsers and operating systems through plugins. In fact, the same monolithic plugin was installed on all computers in the world - and this made it an attractive target for hacking. A single 0-day vulnerability opens all doors for intruders.
There is a danger that the same universal master key for intruders will become H.264 codecs, and the spread of viruses will begin through YouTube and other popular video platforms - and through vulnerabilities in browser decoders.
Fig. 4. CVE-2022-3266 out-of-bounds memory read vulnerability
in Firefox browser during incorrect software video rendering (fixed in version 105). Implemented by reducing the SPS value in the H.264 frame, which broke the decoder. Although we have not yet encountered such mass attacks in practice, the Internet video ecosystem is already ripe for a new type of virus, researchers believe. On the HN forums, they say that the colored ripples on the video as a mass infection are the closest thing to the classic "avalanche" (snowcrash), which we remember from the cult cyberpunk work of Stevenson, who came up with the concept of the "Metaverse" in 1992.
Note: The vulnerabilities listed in this article have been fixed in the latest versions of iOS, VLC, and Firefox. Manufacturers of hardware H.264 decoders for smartphones have been notified of the issue. The authors note that similar vulnerabilities are also present in H.265 decoders, but the developed H26Forge framework is not able to generate video sequences to exploit them.
Source
