fk/kpt-labs-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
kpt-labs-vault/05-Dashboard/YouTube/QGC40AfmgY0 - AI Did This_.md
Floki bc99874bc7 📊 auto-update: system snapshot 2026-06-22
2026-06-22 09:10:23 +02:00

5.4 KiB
Raw Blame History

video_id: QGC40AfmgY0 | title: "AI Did This." | date: 2026-06-22T08:05:05.754981 sentiment: neutral | category: Other duration: 659 | views: 350045 | channel: Low Level tags: [youtube, video, automatisch-verarbeitet] Quelle: yt_dlp_subs+translate | Sprache: en

AI Did This.

Kanal: Low Level | Dauer: 659s | Aufrufe: 350045

Zusammenfassung

Key Points

Takeaways

Transkript

Researchers found 21 zero-day vulnerabilities in FFmpeg. They used AI to do it, but they didn't use Mythos. Now, FFmpeg, if you're not aware, is one of the most widely used piece of software on the internet. Literally, there are graphics and memes that are mostly true that show that FFmpeg basically holds up the entirety of the internet. FFmpeg is literally multimedia library that allows you to convert one file format to another, to play media, to stream media, bunch of stuff. This meme here implies that FFmpeg holds up things like YouTube, TikTok, Twitch, Instagram. This meme also implies that like Pornhub holds up the the entirety of the rest of the internet, not sure how that works, but in any case, FFmpeg very, very important. want to use this video to talk about not only the bugs that it found and kind of how they did it, but what AI means for the future of vulnerability research and why you may not necessarily need Mythos or $20,000 to find bugs like this. Now, FFmpeg is code base written almost entirely in with some inline assembly sprinkled in there for performance optimization. The code base written in is good thing inherently. FFmpeg is extremely performant and very good at what they do, but like any code base, if it gets big enough with enough people, it is going to have vulnerabilities. It's not skill issue in my opinion, it's just language that allows that kind of thing to happen. The FFmpeg developers, by the way, are some of the most skilled in the world. Notoriously, some of the best code base in the world in FFmpeg. But again, any code base that is in will eventually have bugs. It's kind of inevitable. And with the advancements of AI, every day it's more and more likely that your organization might get hacked. You got to be prepared, and that's why today's video is sponsored by ThreatLocker. ThreatLocker is zero-trust platform that allows your organization to stop hackers if they get in. With deny-by-default policies, your organization controls what happens when compromise occurs. ThreatLocker's device dashboard allows you to have visibility of all the devices in your organization. When they join your organization, they go through an application control learning period where ThreatLocker learns exactly what is required for your device to run. After that control learning period is over, it will deny the rest by default, giving you confidence that untrusted applications aren't running. So, that when Frank from engineering inevitably runs definitely not malware.ps1, ThreatLocker blocks it before it even runs. And if they really need to run it, they can put little message in here where your SOC can respond to it as soon as they see it. And with ThreatLocker's new zero-trust network access, you can push network rules down to the device where every connection is intentional and required by the baseline that ThreatLocker collects. All traffic is blocked by default unless it matches your rules where you get to control which users can connect, which devices are approved, and which resources are accessible. As you know the rule, the best way to go help the channel out is to go interact with the sponsor. Go get ThreatLocker shot, and next time zero-trust comes up at your company, why don't you mention ThreatLocker? Thank you for sponsoring the video, ThreatLocker. Let's get back to it. 21 vulnerabilities found in FFmpeg. You'll notice that all of them have some kind of overflow, stack overflow, heap overflow, integer overflow, very common thing that occurs in code bases, especially in code bases that have to parse user data. If you consider that any one of the fields in the BMP file format could be malicious, for example, files like the image height, the image width, the bits per pixel, the pixels per meter, it's very hard to say, etc. All of them do some kind of math that point into another location of memory where the actual pixel data is stored. If any of these fields are malicious and not properly validated, it could lead to some kind of overflow or underflow in calculation leading to access to memory outside of the bounds of this image data array. Very simple use case. Now, luckily, some of these bugs have only been around since 2023, some new file formats or new implementations of those file formats. But one in particular is actually stack-based buffer overflow that has been around since 2003 with the original SDT implementation. Not sure what that is. It sat latent for 23 years, and even so, platforms like Google's Big Sleep and their OSS-Fuzz repo, repos that are actively looking for through AI and open-source fuzzing, through those efforts to find bugs in FFmpeg, still couldn't find it. The bug that the blog author pointed out, which is really crazy bug, is uh skipped frame marker to PC control. Basically, what you have to do here is run FFmpeg and simply ingest an RTSP stream, okay? Literally, if you watch Twitch or you watch YouTube streams, anything any kind of live content, typically what

YouTube →

Verarbeitet: 2026-06-22 08:05