CVE-2020-16159
📋 TL;DR
CVE-2020-16159 is a heap out-of-bounds read vulnerability in GoPro's gpmf-parser library version 1.5. Parsing malicious GPMF metadata can cause segmentation faults (crashes) or information disclosure. This affects any application using the vulnerable gpmf-parser library to process GoPro media files.
💻 Affected Systems
- GoPro gpmf-parser library
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if combined with other vulnerabilities, or sensitive memory disclosure revealing credentials or other protected data.
Likely Case
Application crashes (denial of service) when processing malicious files, potentially disrupting media processing workflows.
If Mitigated
Limited to denial of service if proper input validation and memory protections are in place, with no data exfiltration.
🎯 Exploit Status
Exploitation requires feeding malicious GPMF data to the parser, which could be delivered via crafted media files. Public technical details exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.5.1 or later
Vendor Advisory: https://github.com/gopro/gpmf-parser/commit/2cc0af7ffee6f12934e2d57750bdf292f62b0a97
Restart Required: No
Instructions:
1. Update gpmf-parser to version 1.5.1 or later. 2. Recompile any applications using the library. 3. Replace the old library files with the patched version.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation for GPMF data before passing to the parser to reject malformed or suspicious files.
N/A - Implementation specific
Memory Protection
linuxEnable ASLR (Address Space Layout Randomization) and other memory protection mechanisms to reduce impact.
echo 2 > /proc/sys/kernel/randomize_va_space (Linux)
Enable DEP/ASLR in Windows settings
🧯 If You Can't Patch
- Isolate systems using gpmf-parser from untrusted networks and inputs.
- Monitor for crashes or unusual behavior in applications processing GoPro files.
🔍 How to Verify
Check if Vulnerable:
Check the gpmf-parser version in use. If version is 1.5, it is vulnerable. Use 'strings' or dependency checkers on binaries.Check Version:
Check library files or application documentation for version info; no universal command.Verify Fix Applied:
Verify gpmf-parser version is 1.5.1 or later. Test with known malicious GPMF samples to ensure no crashes.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in application logs
- Unexpected process termination when parsing media files
Network Indicators:
- Unusual file uploads to systems processing GoPro media
- Network traffic containing GPMF metadata to vulnerable parsers
SIEM Query:
Example: 'event_type:crash AND process_name:*gpmf*' or similar based on your SIEM.🔗 References
- https://blog.inhq.net/posts/gopro-gpmf-parser-vuln-1/
- https://github.com/gopro/gpmf-parser/blob/2cc0af7ffee6f12934e2d57750bdf292f62b0a97/GPMF_parser.c#L1657
- https://blog.inhq.net/posts/gopro-gpmf-parser-vuln-1/
- https://github.com/gopro/gpmf-parser/blob/2cc0af7ffee6f12934e2d57750bdf292f62b0a97/GPMF_parser.c#L1657
