Submitted via IRC for TheMightyBuzzard
Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.
"The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," said Omri Herscovici, vulnerability research team leader at Check Point.
The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Researchers also demonstrated that by manipulating the repositories' ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.
Source: https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @05:28PM (8 children)
And bug numbers or CVEs...
(Score: 3, Informative) by EvilSS on Tuesday May 23 2017, @05:45PM (4 children)
Here is the Check Point blog post on it: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ [checkpoint.com]
(Score: 2) by PinkyGigglebrain on Tuesday May 23 2017, @11:45PM (3 children)
Would have been nice if the submitter or editor had mentioned that.
Thank you for providing the information that was lacking. Now I know I need to be mindful of the subtitles I use until VLC posts an update.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 1, Informative) by Anonymous Coward on Wednesday May 24 2017, @11:33AM
- VLC already released an update, Version 2.2.5.1 [videolan.org] but still won't autoupdate.
- Kodi already patched the source [github.com], but no binaries are available.
(Score: 2) by FatPhil on Wednesday May 24 2017, @12:32PM (1 child)
https://github.com/xbmc/xbmc/pull/12023/commits/c659486bc66d64788b8d379b0e898937cfedc749
However, the first thing that comes to mind is that someone could guess an absolute path and simply include one of those in the zip file. Dunno how sane the zip library used is, and whether it protects against that. No need to path traverse somewhere if you can go straight there.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @01:57PM
Yes, the AC upstream already linked the merged ZipManager: skip path traversal pull request 1 hour before your post.
(Score: 1, Informative) by Anonymous Coward on Tuesday May 23 2017, @06:37PM (1 child)
CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313
http://www.eweek.com/security/check-point-discovers-media-subtitle-vulnerability-impacting-millions [eweek.com]
CVE's have not been published yet though
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @11:35AM
Kodi's pull request [github.com] is already public so in practice the cat is out of the bag.
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @08:04PM
If TFA was food it would be celery: so deail-poor you can actually lose intelligence by reading it. What is this, CNN? Fox?
(OMG! Eleventy million people have downloaded VLC! (How many use the so-called malicious subtitles?) Seventeen, but that's not the point! Eleventy million!!!1! Infected text files!)