Sunday, July 9, 2017

Hacked in Translation – from Subtitles to RCE

Recently, we revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. 
By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. 
We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.


What’s the effect?
Scope: The total number of the affected users is in the hundreds of millions. Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well. VLC has over 170 million downloads of its latest version alone, which was released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users each month. No current estimates exist for Popcorn Time usage, but it’s safe to assume that the number is likewise in the millions.
Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

Which media players are affected?

To date, we tested and found vulnerabilities in four of the most prominent media players: VLC, Kodi, Popcorn Time and Stremio. We have reason to believe similar vulnerabilities exist in other media players as well. We followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players. Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.

How can this attack vector spread?
Delving even further into the subtitle supply chain produced some interesting results. There are a number of shared online repositories, such as OpenSubtitles.org, that index and rank movie subtitles. Some media players download subtitles automatically; these repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction. This vulnerability also affects users who use these rankings to decide which subtitles to download manually.

Watch Demo:




2 comments:

  1. There is something about that clean dial, and rolex replica sale case that is intimidating, powerful, professional. It's hardly surprising that Rolex is a household name even among families that could only dream of owning one. Such is the brand's global hublot replica uk that you'd be forgiven for thinking that it was the only luxury watch out there many people can't think of another brand off the top of their fake rolex sale. But, as any horological fan would know, there are many, many more fish in the replica watches sea. Just as a well-known status symbol can be used to intimidate, knowledge that takes you beyond the man shaking your hand can work to your replica watches. Without doubt, a Rolex watch conveys excellent taste, but can you boast the exclusivity that comes with rolex replica sale.

    ReplyDelete
  2. By displaying this knowledge proudly on your wrist, or even delving deeper and researching replica watches it is possible to turn the watch on your wrist into a display of rolex replica sale and business instinct. Who knows, you could even discover a new passion at the same time. Are you looking for the best place to shop for replica watches sale and more authentic designers watches in Kuala Lumpur. Well, i have the answer here for you. The Pavillion, Kuala Lumpur i must say is your one stop destination if you are searching to buy replica watches uk. At one end of the Pavilion shopping mall building, you can find a number of boutique selling rolex replica sale. There are Rolex and Tudor watches boutique one the second floor. Sincere Watch Boutique is situated opposite to a jewellery store where you can find rolex replica is where the two Storey Mont Blanc boutique operates.

    ReplyDelete