Introduction

On the surface, most folks are familiar with the internet’s most ubiquitous video format, MPEG-4 Part 14 (MP4). Few, however, have reason to understand (or care about) the intricacies of MP4 file structure. Here at Cloudmersive, understanding the complexity and rigidity of file formatting expectations is essential to our security mission, and we’ll be putting the spotlight on MP4 in this article.

What is an MP4 File?

MP4 files are multimedia container formats used to store four content types – video, audio, plain text (subtitles), and metadata – in a single, structured file. While we think of MP4 files as “video files”, they aren’t simple linear streams; they’re compound formats based on the ISO Base Media File Format (ISOBMFF). This uses a box-based structure – frequently referred to as atoms – to store and organize media data.

Within an MP4, each “box” contains a different type of data. Some of these “boxes” store metadata, such as file type information or video length duration. Others hold audio/video streams, and some contain the instructions required to enable media playback.

The modularity of MP4 gives it the flexibility it needs to be a dynamic, dependable media asset – but it also opens it up to abuse. Within MP4 “boxes”, threat actors can hide malicious payloads designed to execute when the video plays, and they can also create malformed structures to exploit unpatched vulnerabilities in media parsers.

Why MP4 Files are Difficult to Secure

We see MP4 files everywhere, and they generally seem harmless (most often, they are). However, they’re complex file structure makes them impossible to overlook as a potential threat.

Thanks to MP4’s custom metadata properties, threat actors can inject scripts into the file or confuse data structures. MP4 also allows for hidden data streams, making it possible for attackers to include non-standard audio, video, or even compressed content. Its file headers are manipulable, and threat actors can exploit this by mimicking a safe file while delivering a corrupt or exploit-laden stream.

Finally, the possibility of hidden NSFW content (including CSAM and other extremely sinister illegal media) within video files can’t be ignored. This content issue represents a different type of potential security breach for enterprises – one that won’t result in a system compromised by remote malware, but will instead result in emotional turmoil, significant legal challenges, and a potentially catastrophic loss of reputation.

It’s also important to remember that MP4 files can be very, very large compared to other media content types, making it difficult for upload portals, cloud sync tools, and email gateways to check them thoroughly for malicious and illicit content. This contributes to their overall security challenge; attackers can exploit relaxed content scanning to push poisoned videos through a client-side entry point. Because videos don’t look like code, many tools will under-scan them or skip them entirely if the file is too large.

Embedded Threats: Exploiting the MP4 Format

Below, we’ll explain the most common ways MP4 files are weaponized.

Malformed Headers

Attackers can exploit vulnerable media libraries (meaning those which improperly handle MP4 structure in some obscure way) by crafting corrupt or oversized metadata boxes. This can lead to application crashes, memory corruption, or (worst case scenario) remote code execution (RCE).

Steganography

Like JPEG files, MP4 files can carry malicious code or executables in unused parts of the file hidden via Steganography (the practice of hiding information within other data). That includes within metadata fields and even audio streams. If these MP4 files make it past upload security policies, their payloads can be extracted and executed later in the attack chain. Steganographically concealed malware often bypasses antivirus (AV) software due to the non-executable nature of the file.

Drive-By Downloads

In some cases – particularly those involving legacy browsers – weaponized MP4 files embedded in HTML pages can trigger auto-downloads when previewed. In such cases, victims might not realize they’re downloading second-stage malware just by opening an email or viewing a compromised web page. Scenarios where victims remain unaware of an attack on their system for any period of time benefit attackers immensely.

Script-Based Payloads

When automatic processes like thumbnail or video preview generation use poorly sandboxed tools, they might unwittingly run malicious, crafted scripts hidden in an MP4 file’s metadata. This can result in privilege escalation, unauthorized network access, or (in extreme cases) the creation of persistence mechanisms within internal media processing systems.

MP4 as a Vehicle for NSFW and CSAM Content

As we alluded to earlier, not all MP4 attacks involve malware. Malicious threat actors and irresponsible enterprise employees alike can be responsible for uploading non-consensual explicit content, CSAM (Child Sexual Abuse Material), or even violent content into a widely accessible enterprise file storage location.

When such content is uploaded intentionally by a motivated threat actor, the goal can be to damage an enterprise’s brand trust, trigger debilitating legal investigations, or expose the enterprise to civil or criminal liability. This type of content won’t be flagged by AV software because it doesn’t represent a virus or malware threat; rather, it requires frame-by-frame analysis with trained AI.

MP4 Exploits in the Wild

CVE-2021-30864

In this case, a vulnerability was identified in Apple’s Core Media component. This vulnerability enabled MP4 files to trigger arbitrary code execution when the system attempted to process the video. The underlying problem stemmed from improper memory handling when parsing specific MP4 metadata boxes, and threat actors could exploit it directly with specially crafted (invalid) MP4 files.

CVE-2020-12362

This vulnerability affected Intel’s Media SDK. It allowed attackers to execute arbitrary code using specially crafted MP4 files. These files could exploit flaws in the video decoding process while easily flying under the radar of weakly configured, extension-focused AV scanning policies at the network edge.

Both these examples reinforce the idea that video files are dangerous even when they aren’t executable. They’re inherently dangerous because they interact with complex systems like codecs, players, and preview engines which are vulnerable to malformed content.

Defending Against MP4 Threats with Cloudmersive

Cloudmersive’s Advanced Virus Scan API and NSFW Content Detection API are designed to help organizations deal with the dual-threat of malicious and inappropriate video content.

The Advanced Virus Scan API and NSFW Content Detection API can be deployed in forward or reverse proxies at the network edge, deployed adjacent to AWS, Azure, and GCP cloud storage buckets for real-time cloud storage scanning, or utilized in a Web Application Firewall (WAF).

Advanced Virus Scan API

The Advanced Virus Scan API inspects MP4 internals for metadata, embedded resources, and known exploit structures using deep content verification. It also identifies known malware signatures with traditional signature-based scanning, referencing a continuously updated database of 17 million+ signatures (publicly and privately sourced). Recursive scanning roots out MP4s embedded deep with compressed archives like ZIP, RAR, and 7Z.

NSFW Content Detection API

The “Scan a Video for NSFW Content” iteration of Cloudmersive’s Video API analyzes videos frame-by-frame using deep learning models trained on NSFW and CSAM content. Cloudmersive specializes in providing flexible infrastructure to deal with large file sizes, which is essential in any effective MP4-scanning process. Outputs from NSFW video scanning indicate which specific video frames NSFW content was identified in, along with granular content such as the timestamp, frame number, NSFW content type, and classification result (scored from 0.0 – 1.0).

Conclusion

Despite what we might think, MP4 files aren’t simple. Under the hood, they’re powerful, complex structured containers capable of supporting rich media and dangerous payloads. Whether through malformed data, steganography, or NSFW/CSAM content, threat actors can use video files to bypass enterprise security system and damage targets in a wide range of ways.

To learn more about protecting your system against malicious MP4 uploads with Cloudmersive’s Advanced Virus Scan and NSFW Content Detection APIs, please contact a member of our team.