The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

Security

Discover vulnerabilities in widely used H.264 decoders, including Apple's D5500 Kext, and learn how to exploit them through thumbnailing and stateless video decoding.

Key takeaways

H.264 is a widely supported and complex codec with a massive attack surface.
The codec’s syntax and semantics are not always correctly implemented, leading to vulnerabilities.
The presentation highlights a series of vulnerabilities discovered in the Apple D5500 Kext using H.264.
The first vulnerability is a controlled kernel heap write that can be triggered via thumbnailing.
The second vulnerability is a stateless video decoder initiative by the Video for Linux folks that aims to remove syntax element parsing from the Linux kernel.
H.264 can be used to generate specially crafted videos to test decoders for vulnerabilities.
The presentation also highlights the need for better tooling to help researchers discover and investigate vulnerabilities in video decoders.
The vulnerabilities discovered in this presentation demonstrate the importance of accurate syntax and semantics checking in video decoders.
The presentation also discusses the challenges of modifying syntax elements manually and the need for better tooling to make this process simpler.
Possible solutions include using emulation prevention bytes and implementing semantic checks in video decoders.
The presentation concludes by highlighting the need for more research into video decoders and the importance of better tooling to help researchers discover and investigate vulnerabilities.

The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

More talks