
Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users - seycombi
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
======
ConfucianNardin
Was annoying to find the details.

Looks like PopcornTime was rendering subtitle text as HTML, inside their app
(html/js-based), creating an XSS vector (looking at
[https://github.com/popcorn-official/popcorn-
desktop/commit/a...](https://github.com/popcorn-official/popcorn-
desktop/commit/a9aa8e16610ee8cb23ba4a6452c5a69bf88d9107),
[https://github.com/butterproject/butter-
desktop/pull/602](https://github.com/butterproject/butter-desktop/pull/602)).
Likely the javascript runtime they're using allows file access and execution
of arbitrary executables, enabling the metasploit shell shown in the demo.

For VLC there are a bunch of out of bound reads and heap buffer overflows.

    
    
        f2b1f9e subtitle: Fix potential heap buffer overflow
        611398f subtitle: Fix potential heap buffer overflow
        ecd3173 subsdec: Fix potential out of bound read
        62be394 subsdec: Fix potential out of bound read
        775de71 subtitle: Fix invalid double increment.
    

The article implies that VLC and the others are affected by the same issue
(leading to code execution), but according to available information it seems
to be completely different issues.

The Kodi issue was a zip archive path traversal (i.e. no protection against
zip files extracting files to parent directories).

~~~
easuter
If only VLC had been re-written in rust this would never have happened. For
shame.

~~~
nradov
Feel free to rewrite VLC in Rust. No one is stopping you.

~~~
usefulcat
Pretty sure that was sarcasm.

------
OneLessThing
I did security research on VLC on Windows a year or two ago. I may be
remembering incorrectly, but last I recall every module was protected by ASLR.
Which means that remote code execution is not likely because there is no
scripting or network comms to dynamically create a valid ROP chain.

I also didn't check for executable heaps at the time but given that all heaps
are non executable (which they really shouldn't be executable in VLC) again I
don't see how RCE is possible. Maybe there is some way to validate and
therefore brute force addresses? I don't know. But there was no VLC POC and
I'm sure they would have made one if they could have.

Use VLC it's the most secure media player I've seen.

~~~
Animats
_every module was protected by ASLR._

Address space randomization is not "protection". It's a form of security by
obscurity. The odds of an exploit working are reduced, at the expense of more
crashes due to exploit failure.

It helps developers ignore bugs, since they can no longer reproduce them.

~~~
alasdair_
>Address space randomization is not "protection". It's a form of security by
obscurity.

This is somewhat akin to saying "Randomly generated passwords are not
'protection'. They are a form of security by obscurity."

If things are random enough that an attacker is significantly hampered in most
cases, that's one measure of security, no?

~~~
saurik
It is going to vary quite a bit depending on the entropy of the ASLR
implementation. Many have only had 8-12 bits of entropy to start with, and you
sometimes don't need the full address. It is also important to note that
services that crash typically restart, allowing retries (sometimes as many as
you want). In this case, one might imagine trying to attack thousands of
people: some of them will randomly work (and a lot of users are going to see
VLC crash and will retry playing the file a number of times, increasing your
probability).

------
resoluti0n
Kodi 17.2 with the fix for this flaw has now been released:

[https://kodi.tv/article/kodi-v172-minor-bug-fix-and-
security...](https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-
release)

------
kutkloon7
The thing that most amazes my about Popcorn Time is how they find the
subtitles. It seems to succeed even when I can't find subtitles myself.

More related to the article, you would think that subtitles are literally the
easiest file format in existence to safely handle. It's incredibly well-
defined in terms of textual data and times.

~~~
FranOntanaya
> literally the easiest file format in existence to safely handle.

Well, which one of them. There's nearly a hundred different subtitle formats,
and each one has a whole set of variants. Just Timed Text alone (XML) can have
more layouts than one could count, specially since it's meant to be able to
replicate technically all previous industry formats.

~~~
amptorn
> it's meant to be able to replicate technically all previous industry formats

Even the DVD subtitle format, which is just a mostly transparent image
overlaid on the picture? In _XML_?

~~~
FranOntanaya
Yes, in the TTML2 spec [https://www.w3.org/TR/ttml2/#embedded-content-
vocabulary-chu...](https://www.w3.org/TR/ttml2/#embedded-content-vocabulary-
chunk)

------
_jomo
These are the VLC commits adressing the issue:

[https://github.com/videolan/vlc/search?utf8=%E2%9C%93&q=subt...](https://github.com/videolan/vlc/search?utf8=%E2%9C%93&q=subtitle+OR+subsdec+%22checkpoint.com%22&type=Commits)

~~~
pawadu
Holy crap, that code doesn't look good. I predict we will see more exploits
for this project.

Maybe we should stop random people from contributing to complex C projects?

~~~
jbk
Look at FFmpeg and all the multimedia libraries and you will be horrified.

~~~
pawadu
I thought they cleaned up after the last round of exploits?

~~~
jbk
hahah :)

I wish :)

------
mrmondo
Interestingly running VLC 2.2.4 on MacOS 10.12 and checking for updates
returns 'VLC 2.2.4 is currently the newest version available.', obviously I
downloaded 2.2.5.1 from videolan.org but still odd.

~~~
jbk
The update will be deployed today or tomorrow in the updaters.

~~~
zuck9
Is that a default behavior or something you chose to do?

What if there's a bigger security fix you need to push to people asap?

~~~
jbk
It is something that we chose to do.

We usually let between 24hours and a few days before doing an upgrade, seeing
the possible regressions.

From tag to release to updates can take only 4hours, if we want enough
mirrors.

~~~
muterad_murilax
Well, 10 days later and 2.2.4 is still shown as the latest version when trying
to upgrade... :/

------
greggman
AFAICT every plugin to Kodi has full machine access. Subtitles of course you
don't expect to install malware but I wish plugins ran in a sandbox

------
pawadu
Slightly related to this: where can I find data sanitizers for common file
formats (PDF, MP3 and so on)?

~~~
chii
what counts as sanitizing? How do you know a file is malicious?

~~~
Piskvorrr
Especially with PDFs, my "sanitization" can be your "stripped away all the
fonts and functionality - might as well have given me a plain .TXT", and vice
versa.

~~~
rsync
"might as well have given me a plain .TXT""

Yes, please - that sounds fantastic.

~~~
Piskvorrr
I agree - but it's 1.surprisingly complicated for a general solution
(positioning and such), and 2.not really a solution for the usual end user
(who might appreciate a JPEG instead)

~~~
Piskvorrr
(btw there's `pdftotext`, which is pretty good in most cases)

------
runeks
Can anyone recommend a video player written in a memory-safe language for OSX
that handles MKV files? Or is the simple truth that the problem lies in the
parsers, which are shipped as a library written in C, because no sane
developer wants to rewrite parsers for 25 different subtitle formats when
writing a video player?

~~~
jbk
There are none. You can use VLC inside VLC sandbox, but you won't get
something perfect.

------
sotojuan
What about mpv? That's my preferred video player.

~~~
m1el
While I too prefer mpv, I suspect that there are plenty of vulns in that
player.

~~~
Filligree
It's written in C, so I imagine that's almost guaranteed. In this case
obscurity helps to protect you, however.

------
sparaker
It would be interesting to see which subtitles are using these vulnerabilities
and what they are achieving with them. We could estimate how long this has
been around.

------
mplewis
This is another reason you should use a tool like a parser generator when you
have to parse untrusted data, rather than writing your own parser by hand.

------
Sujan
Does anyone know if the subtitle hosting services added checks for this as
well?

------
soylentcola
This is interesting to me for reasons outside of anything to do with exploits
or malware. A while back I had a bit of a brain fart while playing with my Hue
bulbs: would there be a way to use the subtitle track for a video to encode
time-controlled data that can be sent to/read by another application that
sends these values to a set of Hue bulbs or similar devices for synchronized
ambient lighting?

I figured that subtitles were an obvious place to start because you can
download them in small files, play them back alongside a video, and they are
designed to be "timed out" to synchronize with a video already.

I looked into it for a bit but never really found a way (within my abilities
at least) to do anything like this from within a .srt file or similar. I'd be
interested in hearing if anyone else has more info on how you might do more
with that "framework" than displaying text on screen.

------
Filligree
Speaking of Popcorn Time, last I heard there were a couple of forks and doubts
about the safety of each and every one.

Is there any more clarity around the situation now?

------
captainmuon
Wow, that is bad. I'm always amazed by such vectors in supposedly passive
formats, like fonts, images, and so on.

There is no excuse that these kind of applications are not completely
sandboxed. All you need is some kind of DLL, raw data in, raw pixels out. In
case of hardware accelerated codecs, raw pixels in, surface pointer in,
nothing out. There is no need to be able to access the filesystem, etc.. To
render subtitles on top of the video it's the same.

I wish a fraction of the energy we put into DRM would go into sandboxing
instead.

~~~
jbk
Ha, the famous sandboxing remark. I wish it was that simple!

So, let me share some light on the sandboxing for multimedia (I work on VLC).

If you sandbox an application like VLC, in the current way of doing
sandboxing, which we've done for macOS, WinRT/UWP, and snaps, you still need a
lot of permissions.

Namely:

\- you need to be able to open files without user interactions (no file
picker), in order to open playlist, MXF or MKV files;

\- you need the same if ever you have a database of files (media center
oriented);

\- you need raw access to /dev/* to play DVD, CD and other optical disk (and
the equivalent on Windows);

\- you need ioctl on such devices, to pass the MMC for DVD/Bluray;

\- you need raw access to /dev/v4l* for your webcams and be able to control
them;

\- you need access to the GPU stack, which is running in kernel-mode, btw, to
output video and get hw acceleration;

\- you need access to the audio stack, also in low-level mode;

\- you need access to the DSP acceleration (not always the GPU);

\- on linux, you have access to x11 for the 3 above features, which is almost
root;

\- you need access to /etc/ (registry) for proxy informations, fonts
configuration and accessibility;

\- many OpenGL client libraries need access to the /etc too;

\- you need access to the network, as input and output (think remote control);

\- you need access to the system settings to disable screensavers, and adjust
brightness;

\- you need access to mounts to be able to see the insertion of
DVD/Bluray/USB/SD cards and such;

\- you need to expose an IPC (think MPRIS on Linux);

\- you need to unzip, untar, decrypt, decipher and so on;

\- you need access to the fonts and the fonts configuration (see fontconfig).

and I probably forgot one or another case.

The point is, all those features have good reasons to exist and very good use
cases; but the issue is that for a media player, it will request almost all
permissions except GPS and address book.

And quite a few of them are very close to kernel mode.

So, what is the solution?

Probably do a multi-process media player, like Chrome is doing, with parsers
and demuxers in a different process, and different ones for decoders and
renderers. Knowing that you probably need to IPC several Gb/s between them.

I've been working on such a prototype, but it's a lot of work... I accept
donations :)

~~~
jbverschoor
You actually don't _NEED_ a lot of these things I'm perfectly fine with a
default / embedded font. I don't have an optical drive A database can be in
the local app storage. I'm fine opening a subtitle file myself. Why would I
need IPC? Why would I need to unzip anything? If it's subtitle files, it can
be done in-memory. Are you sure we need low-level audio?

I don't have a remote, so I'd like it to be disabled by default. I don't need
any access to the network.

etc. etc. etc

~~~
stordoff
Those restrictions work for you, but would make VLC borderline useless for me.

> I don't need any access to the network.

90+% of what I use it for comes from my NAS or the Internet.

> I don't have an optical drive

Most of the rest is from optical discs.

> I'm perfectly fine with a default / embedded font. [...] I'm fine opening a
> subtitle file myself.

It's _fine_ but far from ideal. Both are useful quality of life features.

> Why would I need to unzip anything?

Non-essential, but being able to play video from a ZIP is a useful feature.

------
adynatos
If Popcorn Time renders all subtitles as HTML, would an exploit work if the
subtitles were embedded in video container? Seed latest hit on Pirate Bay,
root a lot of boxes. Yikes.

------
lanius
Is Media Player Classic affected?

~~~
buttcoinslol
Not according to this bug report: [https://trac.mpc-
hc.org/ticket/6169](https://trac.mpc-hc.org/ticket/6169)

------
yq
here is how it looks in real time:

[https://www.youtube.com/watch?v=vYT_EGty_6A](https://www.youtube.com/watch?v=vYT_EGty_6A)

------
Sujan
Does this also work for Android versions of Kodi et al?

~~~
etix
Android does have a sandbox, so impact should be pretty limited if ever
exploitable.

------
nto
does this work on Linux and Mac OS? or is it limited to Windows systems?

~~~
gpvos
I can't say for these vulns specifically, but in general, if software is
vulnerable on one OS, it is very likely also vulnerable on other OSs. The
differences aren't that big. Exploits generally have to be written for each OS
separately, though.

------
alexvay
It's sad that VLC checks updates over HTTP and HTTPS

~~~
jbk
VLC updates are signed with asymetric encryption.

HTTP or HTTPS does not change that.

~~~
sslalready
HTTPS would increase user privacy by not leaking application details though.

~~~
jbk
Indeed, but that's not what GP is referring to.

------
jwilk
What does the "IPS Signatures" section mean?

------
theGimp
This is the sourced post [http://blog.checkpoint.com/2017/05/23/hacked-in-
translation/](http://blog.checkpoint.com/2017/05/23/hacked-in-translation/)

The ingenuity that goes into RCE exploits never ceases to amaze (and terrify)
me. Can't wait for more details to be released.

------
lloydjatkinson
Hollywood is resorting to shitty tactics

~~~
jessaustin
I would be impressed if this were actually "Hollywood". It's better than e.g.
the RIAA lawsuits.

------
thresh
Clearly VLC should be rewritten in Rust.

~~~
pjmlp
Looking at the bug fixes done in VLC, Ada or Modula-2 would be enough,
although there are plenty of options actually.

Rust isn't the only alternative to write native code safer than C will ever
allow.

~~~
viraptor
Don't know about Modula, but have you tried Ada? The usability of it is
nowhere near modern languages IMO. We learned a lot about nice code since then
:-)

~~~
DenisM
Modula 2 is much like C in it's close-to-the-metal performance abilities.

On the downside, if you want to call it that, is a more prominent syntax
(keywords instead of curlies, upper-case keywords, etc).

On the upside it lacks any unsafe operations, except for dealloc. In addition,
it has actual modules in lieu of includes, hence it's blazingly fast to
compile and/or recompile. It'a a pity it didn't catch on, the language lacked
a company to back and promote it. AT&T promoted C, Apple promoted Objective C,
Microsoft promoted VB...

~~~
pjmlp
> Apple promoted Objective C

Actually Apple promoted Object Pascal, but then they decided to cater to the
growing UNIX market and replaced the Mac OS SDK with C and C++ (PowerPlant)
one.

[https://en.wikipedia.org/wiki/MacApp](https://en.wikipedia.org/wiki/MacApp)

------
ackfoo
Treat data as data. Taking the Subrip format as an example, everything starts
out fine so long as there is good bounds checking on the purely textual data.

Then, however, some dipshit decides to extend the format by adding tags for
things like bold, italics, underline etc. This is completely unnecessary for
subtitles because the emphasis can be inferred from the dialogue. The
unnecessary complexity increase the potential for vulnerabilities.

Then some total dickhead decides to add an HTML5 tag, for no reason
whatsoever, and it all goes to hell.

This is illustrative of the problem with most software: the absence of a
clear-headed benevolent dictator to say, "no; you are an idiot; we're not
doing that."

~~~
cbr

        This is completely unnecessary for subtitles because
        the emphasis can be inferred from the dialogue.
    

Seems useful for deaf people

~~~
emodendroket
It also seems like you could use it for applications like karaoke.

------
grahams
These exploits will go nowhere without a catchy name ala HEARTBLEED...

I vote for SUB-DURAL HEMATOMA

------
pawadu
> The attack vector relies heavily on the poor state of security in the way
> various media players process subtitle files and the large number of
> subtitle formats.

Well, last years exploits against iOS, Android and Ubuntu where all related to
media metadata processing. It is only natural that the same folks screw up
this one too.

~~~
oblio
What same folks? iOS, Android and Ubuntu are not developed by the same people.
More than that, it's not like these apps are actually developed by Apple,
Google or Canonical.

Plus you're dissing some very complex projects. I think you're underestimating
the complexity of the work these "same folks" are doing.

