Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Media Technology

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com) 126

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.
This discussion has been archived. No new comments can be posted.

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn

Comments Filter:
  • by Anonymous Coward on Wednesday May 24, 2017 @09:05AM (#54476803)

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

    • If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

      True, but don't stop there. Defense is about layers, so ensuring even the functions internally don't trust data coming into them any more than they absolutely have to also makes not only for a great defense strategy but also for very good debugging - the code will become smarter and bugs will be more obvious and easier to catch early; and no, it doesn't have a significant impact on performance.

    • by TWX ( 665546 )

      I donno, little Bobby Tables [youtube.com] figured this out a long time ago.

  • Who didn't freaking use a strnlen on subtitles?!
  • Plain Text (Score:4, Insightful)

    by Gornkleschnitzer ( 4539195 ) on Wednesday May 24, 2017 @09:08AM (#54476823)
    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Wednesday May 24, 2017 @09:17AM (#54476881)
      Comment removed based on user account deletion
      • by H3lldr0p ( 40304 )

        So let me get this right.

        Instead of having a text renderer built into the player and the subtitles just be stored in a file with the appropriate timecodes, the DVD people decided that the best way to go was to slap subtitles in as a transparent image overlay?

        • Re:Plain Text (Score:4, Interesting)

          by Anonymous Coward on Wednesday May 24, 2017 @09:34AM (#54476999)

          I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.

          Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.

        • by jedidiah ( 1196 )

          Pretty much.

          Closed captions are a text stream. DVD/BD subtitles are image overlays.

          • Re:Plain Text (Score:5, Informative)

            by Anonymous Coward on Wednesday May 24, 2017 @09:51AM (#54477117)

            Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.

        • There are a lot of languages in the world. Bitmaps ensure that any player can render any character. And it's also the same system that handles overlays on the menu systems, so less code overall too. Players are relatively dumb devices that don't need their own font system, nor do they need to support decoding every character in Unicode.

          Also, where the subtitle is placed on the screen is sometimes important to avoid covering important action on the screen. A cinemascope movie has extra black space at the

        • DVD is pretty old. Rendering the text may have been too computationally expensive at the time.

          • by tuffy ( 10202 )

            Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.

            • by tlhIngan ( 30335 )

              Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.

              Well, yes. Because it's better that way.

              First, you aren't limited to choice of fonts. You have to remember the Blu-Ray standard is over 10 years old by now. The number of characters available in Unicode has increased dramatically - additional languages, emojis, etc.

              Second, you aren't limited t

        • I'm sure it's because of easy control of the display. If you want control over the size, position, color, and style of the subtitles, then storing text is insufficient. You'd need some kind of markup language. Then you risk running into issues where different manufacturers/developers have different implementations of the rendering code, and so different players show the subtitles differently.

          Also, if you want to be able to control the font, you'd either need the whole world and all video players to sta

        • Comment removed based on user account deletion
    • by H3lldr0p ( 40304 )

      Guessing it has something to do with how it synchs up with the video. Also guessing that instead of including timestamps on the text data, it's some sort of interpreted system using xml.

      Splice in some javascript or whatever language the player is using and there you go. A nice side channel hack.

    • by Anonymous Coward

      How else? H1B visa holders.

    • by dafradu ( 868234 )

      There are a couple dozen subtitle formats, some are much more than a simple text and timecode, they look a lot like HTML files.

    • From TFA:

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      But it does not say exactly what is the vulnerability, maybe that is still embargoed.

    • Ask Bobby Tables!

    • by dabadab ( 126782 )

      The "arbitrary code execution" hacks are generally exploiting buffer overflows and the one area that tended to be rather full of overflowable buffers was text processing where people were using "reasonably large" buffers without checking the size of the input (the gets() function of the standard C library was a really shining example).

    • Because the OS is too 'stupid' to protect itself and sandbox user space.

    • by wbr1 ( 2538558 )
      How does one design a text entry field that parses embedded SQL commands?
      • By passing the text data entered into the field into a SQL server for storage or processing, without checking to ensure the server will not interpret it incorrectly.
    • Re:Plain Text (Score:5, Insightful)

      by thegarbz ( 1787294 ) on Wednesday May 24, 2017 @10:04AM (#54477207)

      plain-text subtitle system

      What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.

      The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.

    • by Kjella ( 173770 )

      How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

      Well in terms of the Butter fix linked it would appear they put the subtitles as text into a JS-rendered page. No sanitation = text interpreted as JavaScript run as local code outside any sandbox. The fix is really just this:

      strings = Common.sanitize(strings); // xss-style attacks
      strings = strings.replace(/--\&gt\;/g, '-->'); // restore srt format

      So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And ev

      • So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And even then they'll make a hare-brained fix for that particular code, still leaving the barn door open.

        No! Definitely not true. They will partly close that barn door, blast a brand new bigger hole in the side wall, and add 18 additional locks to make it impossible for any legitimate user to get into the barn.

  • Those subtitles will get you every time.
  • I don't understand. If I create a backup of my DVD and watch it using my Kodi box, how does someone inject malicious code into the subtitles? Oh, you mean this only happens when I acquire questionably legal content from an unknown source? Nevermind then.
  • by ToTheStars ( 4807725 ) on Wednesday May 24, 2017 @09:25AM (#54476937)

    "Zis tabakonist is scratched. I weel not buy eet."

    "My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"

    Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."

  • by bbsguru ( 586178 ) on Wednesday May 24, 2017 @09:42AM (#54477059) Homepage Journal
    "Malicious Subtitles". New? Hardly!

    Did you never watch Mystery Science Theater 3000?

    • Indeed. I never watched Mystery Science Theater 3000.
    • by mrdogi ( 82975 )

      Yup, back when it was only here in The Cities. Great show!

      • Yeah! KTMA channel 23! I remember watching Joel and the bots as a kid. I have since moved on to be firmly in the Mike camp and was onboard with Rifftrax.com within it's first year. I have to say though, I think Joel really made a strong comeback with the new Netflix MST3K, it is really good! Any way you slice it, today is a good day to be an MST3K fan!

  • by __aaclcg7560 ( 824291 ) on Wednesday May 24, 2017 @09:43AM (#54477073)
    Last month I recorded a video of William Shatner telling the story about the biycle [youtube.com] at Silicon Valley Comic Con 2017. I left my external mic at home, so the audio quality wasn't great. I paid $5 to Rev [rev.com] to create the captions and upload directly to my YouTube video. Nice service. I wonder if my videos could get malicious captions that way.
  • ... is not amused [youtube.com].

  • I use Kodi and VLC on Linux desktop boxes. The original publication talks about PC, Android and Smart TVs but I doubt someone can get full access to my machines without my consent with this exploit.
  • ... is full of eels.

  • So it looks like they're simply getting the IP address of the downloader and running VLC client against it. Is there any actual code in the file, or do they simply hope the user is running VLC server without password?

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...