Stories
Slash Boxes
Comments

SoylentNews is people

Hackers Can Use Subtitles to Take Over Millions of Devices Running VLC, Kodi, Popcorn Time and Strem

posted by Fnord666 on Tuesday May 23 2017, @05:10PM   Printer-friendly
from the targeting-the-hard-of-hearing dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.

"The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," said Omri Herscovici, vulnerability research team leader at Check Point.

The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Researchers also demonstrated that by manipulating the repositories' ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.

Source: https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Hackers Can Use Subtitles to Take Over Millions of Devices Running VLC, Kodi, Popcorn Time and Strem | Log In/Create an Account | Top | 45 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by EvilSS on Tuesday May 23 2017, @05:45PM (4 children)

    by EvilSS (1456) Subscriber Badge on Tuesday May 23 2017, @05:45PM (#514417)
    Check Point hasn't publicly released any details and as far as I can tell there isn't a CVE yet. They are waiting for the various projects and vendors to fix the issue.

    Here is the Check Point blog post on it: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ [checkpoint.com]
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by PinkyGigglebrain on Tuesday May 23 2017, @11:45PM (3 children)

    by PinkyGigglebrain (4458) on Tuesday May 23 2017, @11:45PM (#514586)

    Would have been nice if the submitter or editor had mentioned that.

    Thank you for providing the information that was lacking. Now I know I need to be mindful of the subtitles I use until VLC posts an update.

    --
    "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."

    • (Score: 1, Informative) by Anonymous Coward on Wednesday May 24 2017, @11:33AM

      by Anonymous Coward on Wednesday May 24 2017, @11:33AM (#514749)

      - VLC already released an update, Version 2.2.5.1 [videolan.org] but still won't autoupdate.
      - Kodi already patched the source [github.com], but no binaries are available.

    • (Score: 2) by FatPhil on Wednesday May 24 2017, @12:32PM (1 child)

      by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday May 24 2017, @12:32PM (#514768) Homepage
      Here's the patch that fixes it, which gives more insight into the technical nature of the attack.
      https://github.com/xbmc/xbmc/pull/12023/commits/c659486bc66d64788b8d379b0e898937cfedc749

      However, the first thing that comes to mind is that someone could guess an absolute path and simply include one of those in the zip file. Dunno how sane the zip library used is, and whether it protects against that. No need to path traverse somewhere if you can go straight there.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

      • (Score: 0) by Anonymous Coward on Wednesday May 24 2017, @01:57PM

        by Anonymous Coward on Wednesday May 24 2017, @01:57PM (#514806)

        Here's the patch that fixes it,

        Yes, the AC upstream already linked the merged ZipManager: skip path traversal pull request 1 hour before your post.