1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hackers Using Subtitles to Takeover Devices

Discussion in 'BlackHat Lounge' started by Asif WILSON Khan, May 25, 2017.

  1. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,409
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.





    What is it?

    Perpetrators use various methods, also referred to as ‘attack vectors’, to deliver cyberattacks. These attack vectors can be divided into two major categories: Either the attacker persuades the user to visit a malicious website, or he tricks him into running a malicious file on his computer.
    Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.
    Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.





    What is the root cause?

    The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities.



    What’s the effect?

    Scope: The total number of the affected users is in the hundreds of millions. Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well. VLC has over 170 million downloads of its latest version alone, which was released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users each month. No current estimates exist for Popcorn Time usage, but it’s safe to assume that the number is likewise in the millions.

    Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.



    Which media players are affected?

    To date, we tested and found vulnerabilities in four of the most prominent media players: VLC, Kodi, Popcorn Time and Stremio. We have reason to believe similar vulnerabilities exist in other media players as well. We followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players. Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.

    Platforms Update:



    IPS Signatures:

    • Popcorn Time Subtitles Remote Code Execution
    • Kodi Open Subtitles Addon Remote Code Execution
    • VLC ParseJSS Null Skip Subtitle Remote Code Execution
    • Stremio Subtitles Remote Code Execution


    How can this attack vector spread?

    Delving even further into the subtitle supply chain produced some interesting results. There are a number of shared online repositories, such as OpenSubtitles.org, that index and rank movie subtitles. Some media players download subtitles automatically; these repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction. This vulnerability also affects users who use these rankings to decide which subtitles to download manually.



    [​IMG]




    Source: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
     
    • Thanks Thanks x 7
  2. TimelordHarry

    TimelordHarry Regular Member

    Joined:
    Apr 6, 2017
    Messages:
    234
    Likes Received:
    56
    Gender:
    Male
    Occupation:
    Tardis Enginner
    Location:
    Gallifrey
    No worries for me.
    I don't watch anything other than English(95%), French(4%), and German(1%).
    I don't need subtitles for that.
     
  3. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    5,042
    Likes Received:
    3,215
    Location:
    Hell
    Home Page:
    We need a substitute for computer and laptops. Some kind of alien shit.
     
  4. Repulsor

    Repulsor Power Member

    Joined:
    Jun 11, 2013
    Messages:
    766
    Likes Received:
    275
    Location:
    PHP Scripting ;)
    Oh dont be so sure yet ;)

    What if the torrent/source you downloaded from came with an infected subtitle file already? You never know ;)
     
  5. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,849
    Likes Received:
    5,311
    Gender:
    Female
    How about a chip implanted in your brain?
     
  6. MisterF

    MisterF Jr. VIP Jr. VIP

    Joined:
    Nov 29, 2009
    Messages:
    6,302
    Likes Received:
    4,811
    Occupation:
    Conference Organiser, Business Advisor.,
    Location:
    JADIP
    Home Page:
    My tolerance for these scum bags gets lower by the day.
     
    • Thanks Thanks x 1
  7. Automation247

    Automation247 Regular Member

    Joined:
    Jan 21, 2014
    Messages:
    486
    Likes Received:
    169
    Gender:
    Male
    Occupation:
    Making some $$$
    Location:
    SPAMMING 24/7 FROM SOMEWHERE IN EUROPE
    Home Page:
    There's nothing free these days!
     
  8. Donawoite

    Donawoite Jr. VIP Jr. VIP

    Joined:
    Nov 15, 2015
    Messages:
    327
    Likes Received:
    43
  9. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,069
    Likes Received:
    10,839
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    Well the alien shit's probably gonna be a chip embedded in our brains. I'm sticking with the PC for now, at least I can walk away from it.
     
  10. The Doctor

    The Doctor Jr. VIP Jr. VIP

    Joined:
    Dec 18, 2010
    Messages:
    892
    Likes Received:
    261
    Occupation:
    Computer Scientist, Engineer, Programmer.
    Location:
    ☆☆☆☆☆☆
    Home Page:
    Security is fun. Was just looking to see if this one has made its way to Metasploit yet but didn't see it.
     
  11. TimelordHarry

    TimelordHarry Regular Member

    Joined:
    Apr 6, 2017
    Messages:
    234
    Likes Received:
    56
    Gender:
    Male
    Occupation:
    Tardis Enginner
    Location:
    Gallifrey
    I don't torrent anymore. My ISP sent me warning a few weeks ago about Bittorrent and I stopped using it. Also, I don't do movies on the torrent so still no worries.
     
  12. pressrelease

    pressrelease Power Member

    Joined:
    Jan 6, 2016
    Messages:
    661
    Likes Received:
    235
    Location:
    Disneyland
    I watch appx 4-5 movie per week using torrent download, think its time to go for online streaming or have a separate laptop for all movie stuff.
     
  13. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,409
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:

    I used to torrent a lot but streaming is pretty good now if you have a fast internet connection.
     
  14. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    5,042
    Likes Received:
    3,215
    Location:
    Hell
    Home Page:
    You can implant a chip in my heart with your name on it, if you want.
     
    • Thanks Thanks x 1
  15. SensualTyrannosaurus

    SensualTyrannosaurus Jr. VIP Jr. VIP

    Joined:
    Mar 19, 2015
    Messages:
    360
    Likes Received:
    251
    Occupation:
    Machinegun Troller
    Location:
    Conducting an LoL Shaped Ambush
    Home Page:
    Like Tony Stark?
     
  16. pressrelease

    pressrelease Power Member

    Joined:
    Jan 6, 2016
    Messages:
    661
    Likes Received:
    235
    Location:
    Disneyland
    i have 20 MB LAN internet, its pretty good.