Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution

VLC bug

Attackers can remotely execute code on targeted systems via specially crafted subtitle files for videos.

A proof of concept attack using malicious video subtitle files reveals how adversaries can execute remote code on PCs, Smart TVs and mobile devices using popular video players and services such as VLC Media Player, Kodi, Stremio and Popcorn Time.

“This is a brand new attack vector. We haven’t seen this type of attack yet in the wild. But we believe there are upwards of 200 million video players and streamers vulnerable to this type of attack,” said Omri Herscovici, team leader for products research and development at Check Point Software Technologies.

Herscovici said each media player Check Point looked at has a unique vulnerability that allows a remote attacker to ultimately execute code and gain control of the targeted system. With the VLC player, researchers were able to take advantage of a memory corruption vulnerability to gain control of a PC. With other media players and streamers, Check Point said it would not disclose the technical details until software updates were deployed to users.

VLC developers were contacted in April and made aware of four separate vulnerabilities, Herscovici said. Each one of the vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) has been patched.

Check Point is basing the scope of affected users on publicly disclosed numbers provided by vendors. According to VLC, 170 million users have downloaded the player since June 2016. Kodi reports more than 40 million unique users of its video software each month.

In its proof of concept attack, Check Point says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” wrote Check Point in a research blog regarding the attack vector.

Check Point said bad coding of subtitle parsing implementation is at the heart of the vulnerability.

“There are dozens of subtitle formats, from SRT, SUB and GSS – and no standards for parsing. Each one of the players we looked at uses a homegrown version of a subtitle parsing implementation. And each one of them had a remote code execution flaw,” Herscovici said.

In each attack scenario, the malicious subtitle file must be selected to run with the video.

In another attack scenario, a victim plays a video that is pre-programmed to automatically download a subtitle file from an online repository such as Researchers say an attacker can upload malicious subtitle files to those repositories and artificially inflate the file’s ranking. Video players are instructed to download the highest ranked subtitle file.

“These repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a man-in-the-middle attack or requiring user interaction,” wrote Check Point researchers.

Suggested articles