Jump to content
Tuts 4 You

Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution


Recommended Posts

Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution



A proof of concept attack using malicious video subtitle files reveals how adversaries can execute remote code on PCs, Smart TVs and mobile devices using popular video players and services such as VLC Media Player, Kodi, Stremio and Popcorn Time.

Herscovici said each media player Check Point looked at has a unique vulnerability that allows a remote attacker to ultimately execute code and gain control of the targeted system. With the VLC player, researchers were able to take advantage of a memory corruption vulnerability to gain control of a PC. With other media players and streamers, Check Point said it would not disclose the technical details until software updates were deployed to users.

In its proof of concept attack, Check Point says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” wrote Check Point in a research blog regarding the attack vector.

Check Point said bad coding of subtitle parsing implementation is at the heart of the vulnerability.

“There are dozens of subtitle formats, from SRT, SUB and GSS – and no standards for parsing. Each one of the players we looked at uses a homegrown version of a subtitle parsing implementation. And each one of them had a remote code execution flaw,” Herscovici said.

In each attack scenario, the malicious subtitle file must be selected to run with the video.

In another attack scenario, a victim plays a video that is pre-programmed to automatically download a subtitle file from an online repository such as OpenSubtitles.org. Researchers say an attacker can upload malicious subtitle files to those repositories and artificially inflate the file’s ranking. Video players are instructed to download the highest ranked subtitle file.

“These repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a man-in-the-middle attack or requiring user interaction,” wrote Check Point researchers.



  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...