Monday, January 05, 2009

Don't trust (media) file extensions

In reaction to the vulnerabilities I recently found in various popular media players I get a lot of mails with a lot of questions. There're two questions that keep repeating themselves:

"The vulnerability is completely theoretical. I have never heard of the [place your favorite name here] media format before, so why should I open such an obscure media file?"
"Am I secure if I don't open [place your favorite name here] media files anymore?"
Both questions are answered quite easily: How would you find out the media file format? By the file extension? DON'T trust media file extensions!

Let's take for example the VLC vulnerability that occurs while processing TiVo media files. I'm sure most of you (including me ;) have never heard of this format before or even used it. The regular file extension for TiVo files is ".ty". But what hinders an evil attacker from renaming the file from "fun.ty" to "fun.avi" or "" or "fun.mkv" or whatever he likes? The file will still be opened and processed as a TiVo file by the media player as file extensions are *not* used to recognize the media format.

This is true for all media players under all platforms (that I know).

(Purpose of this blog entry: From now on I can simply provide a link to this entry as an answer for the above questions ;)