Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com)

Posted by msmash on from the security-woes dept.

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

71 of 126 comments (clear)

  1. Always verify user input and external data by Anonymous Coward · · Score: 3, Insightful

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

    1. Re:Always verify user input and external data by TemporalBeing · · Score: 1

      If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

      True, but don't stop there. Defense is about layers, so ensuring even the functions internally don't trust data coming into them any more than they absolutely have to also makes not only for a great defense strategy but also for very good debugging - the code will become smarter and bugs will be more obvious and easier to catch early; and no, it doesn't have a significant impact on performance.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    2. Re:Always verify user input and external data by TWX · · Score: 1

      I donno, little Bobby Tables figured this out a long time ago.

      --
      Do not look into laser with remaining eye.
    3. Re:Always verify user input and external data by TWX · · Score: 2

      Dammit, wrong URL.

      Should've been to XKCD https://xkcd.com/327/

      Guess I should check my buffers before pasting and submitting stuff.

      --
      Do not look into laser with remaining eye.
    4. Re:Always verify user input and external data by PoopMonkey · · Score: 1

      At least you didn't share a link to some sort of crazy porn.

    5. Re:Always verify user input and external data by TWX · · Score: 1

      Are people generally in the habit of copying links to porn? That seems like a particularly terrible idea.

      --
      Do not look into laser with remaining eye.
  2. Muh Anime!!! by the_skywise · · Score: 1

    Who didn't freaking use a strnlen on subtitles?!

  3. Plain Text by Gornkleschnitzer · · Score: 4, Insightful

    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

    1. Re:Plain Text by squiggleslash · · Score: 4, Informative

      Not that it changes your question much, but I think a significant number of subtitle systems (I know DVD does this for one) are based on low depth bitmaps, not text. That said, that makes it harder to understand why they'd be so easy to code badly, given bitmaps have an easily calculated maximum size.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Plain Text by H3lldr0p · · Score: 1

      Guessing it has something to do with how it synchs up with the video. Also guessing that instead of including timestamps on the text data, it's some sort of interpreted system using xml.

      Splice in some javascript or whatever language the player is using and there you go. A nice side channel hack.

    3. Re:Plain Text by Anonymous Coward · · Score: 1

      How else? H1B visa holders.

    4. Re:Plain Text by dafradu · · Score: 1

      There are a couple dozen subtitle formats, some are much more than a simple text and timecode, they look a lot like HTML files.

    5. Re:Plain Text by buchner.johannes · · Score: 2

      From TFA:

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      But it does not say exactly what is the vulnerability, maybe that is still embargoed.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    6. Re:Plain Text by H3lldr0p · · Score: 1

      So let me get this right.

      Instead of having a text renderer built into the player and the subtitles just be stored in a file with the appropriate timecodes, the DVD people decided that the best way to go was to slap subtitles in as a transparent image overlay?

    7. Re:Plain Text by Anonymous Coward · · Score: 4, Interesting

      I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.

      Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.

    8. Re:Plain Text by Existential+Wombat · · Score: 2

      Ask Bobby Tables!

    9. Re:Plain Text by jedidiah · · Score: 2

      Pretty much.

      Closed captions are a text stream. DVD/BD subtitles are image overlays.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    10. Re:Plain Text by Merk42 · · Score: 4, Funny

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      25?! Ridiculous!
      We need to develop one universal standard that covers everyone's use cases.

    11. Re:Plain Text by dabadab · · Score: 1

      The "arbitrary code execution" hacks are generally exploiting buffer overflows and the one area that tended to be rather full of overflowable buffers was text processing where people were using "reasonably large" buffers without checking the size of the input (the gets() function of the standard C library was a really shining example).

      --
      Real life is overrated.
    12. Re:Plain Text by fustakrakich · · Score: 1

      Because the OS is too 'stupid' to protect itself and sandbox user space.

      --
      “He’s not deformed, he’s just drunk!”
    13. Re:Plain Text by Anonymous Coward · · Score: 5, Informative

      Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.

    14. Re:Plain Text by wbr1 · · Score: 1

      How does one design a text entry field that parses embedded SQL commands?

      --
      Silence is a state of mime.
    15. Re:Plain Text by thegarbz · · Score: 4, Insightful

      plain-text subtitle system

      What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.

      The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.

    16. Re:Plain Text by Kjella · · Score: 1

      How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

      Well in terms of the Butter fix linked it would appear they put the subtitles as text into a JS-rendered page. No sanitation = text interpreted as JavaScript run as local code outside any sandbox. The fix is really just this:

      strings = Common.sanitize(strings); // xss-style attacks
      strings = strings.replace(/--\&gt\;/g, '-->'); // restore srt format

      So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And even then they'll make a hare-brained fix for that particular code, still leaving the barn door open.

      --
      Live today, because you never know what tomorrow brings
    17. Re:Plain Text by omnichad · · Score: 2

      There are a lot of languages in the world. Bitmaps ensure that any player can render any character. And it's also the same system that handles overlays on the menu systems, so less code overall too. Players are relatively dumb devices that don't need their own font system, nor do they need to support decoding every character in Unicode.

      Also, where the subtitle is placed on the screen is sometimes important to avoid covering important action on the screen. A cinemascope movie has extra black space at the bottom of the 16:9 image and you can set position there. These can be done with text-based coordinates, but it's a matter of convenience.

    18. Re:Plain Text by Gornkleschnitzer · · Score: 1

      Correct. The question is, how does one permit an overflow in a situation where the data should be so simple?

      On the other hand, comments after my own are implying that subtitles are more complicated than plain text. Back to square one.

    19. Re:Plain Text by Plus1Entropy · · Score: 1

      DVD is pretty old. Rendering the text may have been too computationally expensive at the time.

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    20. Re:Plain Text by 140Mandak262Jamuna · · Score: 1

      So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And even then they'll make a hare-brained fix for that particular code, still leaving the barn door open.

      No! Definitely not true. They will partly close that barn door, blast a brand new bigger hole in the side wall, and add 18 additional locks to make it impossible for any legitimate user to get into the barn.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    21. Re:Plain Text by Gornkleschnitzer · · Score: 1

      By passing the text data entered into the field into a SQL server for storage or processing, without checking to ensure the server will not interpret it incorrectly.

    22. Re:Plain Text by tuffy · · Score: 1

      Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.

      --

      Ita erat quando hic adveni.

    23. Re:Plain Text by itamihn · · Score: 1, Funny

      https://xkcd.com/927/

    24. Re:Plain Text by Merk42 · · Score: 2

      Yes, that is the comic I literally quoted, good job.

    25. Re:Plain Text by tlhIngan · · Score: 1

      Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.

      Well, yes. Because it's better that way.

      First, you aren't limited to choice of fonts. You have to remember the Blu-Ray standard is over 10 years old by now. The number of characters available in Unicode has increased dramatically - additional languages, emojis, etc.

      Second, you aren't limited to a choice of fonts. This time, we're talking actual fonts themselves. There's font shapes, font styles, sizes, etc. And special characters - sometimes they use a special style when there's a song playing, for example.

      About the only way to ensure that future discs can be played back on the oldest standard players, you pretty much need to use rendered down images for the subtitles - everything changes too quickly. Even today visit the wrong web page on the wrong OS and instead of seeing text, you get squares as the font is missing Unicode codepoints.

      Heck, I'm sure someone has found a creative use for subtitle overlay images in some custom project or another

    26. Re:Plain Text by nine-times · · Score: 1

      I'm sure it's because of easy control of the display. If you want control over the size, position, color, and style of the subtitles, then storing text is insufficient. You'd need some kind of markup language. Then you risk running into issues where different manufacturers/developers have different implementations of the rendering code, and so different players show the subtitles differently.

      Also, if you want to be able to control the font, you'd either need the whole world and all video players to standardize on a certain set of fonts, or you'd need to embed fonts in the movie file. Doing that is more complex both from a technical and a licensing standpoint, as opposed to just distributing pre-rendered images.

      Having a rendering engine capable of parsing the markup language and rendering arbitrary fonts creates a system much more complex than rendering a simple bitmap. You have increased risk of bugs. If you're thinking is terms of physical media, you don't want there to be bugs in your DVD or DVD player, neither of which generally gets updates.

    27. Re:Plain Text by squiggleslash · · Score: 1

      More or less yes. Having a text renderer introduces its own complications, including predictable font sizes and fonts that can render every character used by every language in the world. Back in 1996, when DVD was standardized, that was a tall order. Some would say it still is.

      Using bitmaps is also more flexible, in theory you can use the subtitle feature to add optional graphics instead of just text.

      And given you're talking about a low depth (compressible? I think it's compressed) bitmap that changes once every few seconds, it's not as if there's a lot of overhead in the technique. The main stream already includes at least one 384kbps audio stream, plus an MPEG-2 video stream weighing in at anything from 2-5Mbps. A single 704x480 two color bitmap weighs in at 42k, or about 330 kilobits. One of those every 5 seconds is almost a trace amount of bandwidth.

      --
      You are not alone. This is not normal. None of this is normal.
    28. Re:Plain Text by Hognoxious · · Score: 1

      And all the emojis. yet another reason why unicode is a crock of shit.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    29. Re:Plain Text by steveg · · Score: 1

      According to a post by a site admin at opensubtitles.org, the problem was in the filenames of the subtitle file, and special character in those names. Apparently some media players weren't careful in how they parsed the names.

      --
      Ignorance killed the cat. Curiosity was framed.
  4. Hacking: A Beginner's Guid^k^s^#8#94873&^& by olsmeister · · Score: 2

    Those subtitles will get you every time.

  5. Re:How to avoid these vulnerabilities by war4peace · · Score: 4, Interesting

    What does this have to do with anything?
    I have bought a number of movies during the years, most of which did not have a readily-available Romanian subtitle at release. My wife doesn't speak English but understands it to some extent, the threshold being thick accents. Try to watch "Snatch" without subtitles, even in English, and you'll understand. "Doo ya leik dags?"

    I have a bunch of movies on DVDs which I can enjoy but she can't, so I either rip them to HDD or download the same movie online, then attach a subtitle to it. Now we can both enjoy the movie at its fullest.

    What I am doing is not piracy by any means, it's an extension of already existing features which I legally own the right to use.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  6. Kodi has already patched this hole by CeasedCaring · · Score: 2

    See https://kodi.tv/article/kodi-v...

  7. Look out for those bootleg Hungarian dubs! by ToTheStars · · Score: 5, Funny

    "Zis tabakonist is scratched. I weel not buy eet."

    "My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"

    Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."

    1. Re:Look out for those bootleg Hungarian dubs! by Gornkleschnitzer · · Score: 1

      "... Ja! Beihrund das Oder die flippervaldt gersput!" ....and now I'm a murderer, I guess.

  8. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 5, Insightful

    If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.

    You are quite wrong, on all accounts.

    I download spanish subtitles for movies we've legally purchase all the time, because they did not come with those subtitles. So, you are wrong about legal purchases negating the need for these subtitles.

    I've also gotten computer viruses from legally purchased and authentic software. Got one from a game I bought at Gamestop, back when games came on floppies. Anti-virus caught it as soon as the disk went into the drive. So, you are wrong about legal purchases keeping you safe.

    Remember Sony's root kit debacle? Sometimes you're not safe from the corporation you're buying from.

    --
    My karma is in a nose dive
  9. Re:How to avoid these vulnerabilities by jedidiah · · Score: 1

    The only reason I would ever need a 3rd party sub file is if the original publisher was too cheap to include one or too incompetent to include a good one.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  10. Re:Duh. by jedidiah · · Score: 1

    It's a user controlled format that allows for the preservation of works that even the publisher wants suppressed. There are a number of things that simply aren't available from streaming services. Some publishers/services like to "expire" things or "put them in the vault".

    A user controlled format avoids any of that.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  11. Nothing new here by bbsguru · · Score: 2
    "Malicious Subtitles". New? Hardly!

    Did you never watch Mystery Science Theater 3000?

    1. Re:Nothing new here by freeze128 · · Score: 1

      Indeed. I never watched Mystery Science Theater 3000.

    2. Re:Nothing new here by mrdogi · · Score: 1

      Yup, back when it was only here in The Cities. Great show!

    3. Re:Nothing new here by The-Ixian · · Score: 1

      Yeah! KTMA channel 23! I remember watching Joel and the bots as a kid. I have since moved on to be firmly in the Mike camp and was onboard with Rifftrax.com within it's first year. I have to say though, I think Joel really made a strong comeback with the new Netflix MST3K, it is really good! Any way you slice it, today is a good day to be an MST3K fan!

      --
      My eyes reflect the stars and a smile lights up my face.
  12. Does this apply to third-party vendors... by __aaclcg7560 · · Score: 2

    Last month I recorded a video of William Shatner telling the story about the biycle at Silicon Valley Comic Con 2017. I left my external mic at home, so the audio quality wasn't great. I paid $5 to Rev to create the captions and upload directly to my YouTube video. Nice service. I wonder if my videos could get malicious captions that way.

  13. Re:How to avoid these vulnerabilities by fustakrakich · · Score: 1

    If you refrain from piracy, you will be safe.

    Yes, you are so right!

    Oh wait... Poe's law, right?

    --
    “He’s not deformed, he’s just drunk!”
  14. Re: USING COMMON (Open) SOURCE IS FRAUGHT WITH PER by darth+dickinson · · Score: 1

    I think it's a stretch to say that every user of Linux is reviewing the kernel source. I know that I use it regularly and I'm not a coder, just a networking geek. I *have* the source, but other than a very high-level understanding of what it purports to do, I really have no idea what the code actually does.

  15. And Hitler ... by PPH · · Score: 1

    ... is not amused.

    --
    Have gnu, will travel.
  16. Re:How to avoid these vulnerabilities by interkin3tic · · Score: 2

    AC is being sarcastic. For the willfully ignorant/forgetful out there

    You're
    still
    not
    safe.

  17. Re:How to avoid these vulnerabilities by wbr1 · · Score: 1

    Playing devils advocate here, but - you are supposed to wait for a region locked spanish version to b e released. No one knows when or for how long it will be available for any given title, and you have to pay again for the privilege.

    --
    Silence is a state of mime.
  18. Re:How to avoid these vulnerabilities by Sigma+7 · · Score: 2

    If you refrain from piracy, you will be safe.

    If you refrained from piracy, your Commodore 64's drive would need repair much more frequently because an anti-piracy measure involves reading "bad" sectors and causing the hard drive to knock at sector 0 (and thus misalign the head.)

    If you refrain from piracy, you get a free rootkit while you play games such as Street Fighter V.

    If you refrain from piracy in the future... well, I'm uncertain what will happen on the technical side, but you won't be able to purchase Alan Wake if you missed the recent fire sale.

    I'm not advocating piracy, but the current situation is that anti-piracy mechanisms don't exactly respect the customer, or those that want to buy the products.

  19. Linux by zakzor · · Score: 1

    I use Kodi and VLC on Linux desktop boxes. The original publication talks about PC, Android and Smart TVs but I doubt someone can get full access to my machines without my consent with this exploit.

  20. Re: subtitle lulz by Anonymous Coward · · Score: 2, Insightful

    And, if you ever lose your hearing, as I did in the US Navy, you'll find subtitles to be a necessity. I hope you're not claustrophobic, you'd go crazy in that closed little mind of yours.

  21. my hovercraft by ooloorie · · Score: 1

    ... is full of eels.

  22. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 2

    Mexico is region one. I'm in the US, in a household of all US citizens, but a household of majority spanish speakers. So, only region one media and players are available to us.

    --
    My karma is in a nose dive
  23. Re:subtitle lulz by itamihn · · Score: 2

    As a non-native English speaker, the subtitles, whereas not really necessary, do come in handy.

  24. Re:How to avoid these vulnerabilities by ColdWetDog · · Score: 1

    So it sounds like you are likely to need a third party sub file.

    --
    Faster! Faster! Faster would be better!
  25. Re:How to avoid these vulnerabilities by dosius · · Score: 1

    I thought Mexico was region 4, like Brazil. o.o;

    -uso.

    --
    What you hear in the ear, preach from the rooftop Matthew 10.27b
  26. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

    Don't break the law by pirating content and software.

    There's nothing illegal about downloading subtitles for a movie.

  27. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

    Doo ya leik dags

    To be fair, the immediate line following this one is: "Oh you mean dogs!"

    It's kind of like in the Assassins Creed movies in one of the scenes it all sounds a bit like gibberish, but if you turn on subtitles you're greeted with the wonderful subtitle: (man speaking Spanish backwards) as if that was at all relevant.

    But yes I do understand what you mean. I also watch native movies with subtitles because reading cuts through accents.

  28. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

    you are supposed to wait for a region locked spanish version to b e released

    What region? Blurays Region A covers all of North and South America. Is every product in the USA supposed to have a Spanish subtitle?

  29. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

    There's only 3 regions if you're not buy 20 year old obsolete media.

    Brazil is also Region 1 on Bluray. All American continents are.

  30. Re:How to avoid these vulnerabilities by Nethead · · Score: 1

    I use to make some nice coin re-aligning 1541 drives since I had an o-scope to find the cat's eye.

    --
    -- I have a private email server in my basement.
  31. Comment/Question by neurosine · · Score: 1

    So it looks like they're simply getting the IP address of the downloader and running VLC client against it. Is there any actual code in the file, or do they simply hope the user is running VLC server without password?

  32. Re:How to avoid these vulnerabilities by peawormsworth · · Score: 1

    war4peace, you can mitigate issues by running Kodi on a Raspberry Pi. They cost about $100, but can run as an independent media server right next to your TV. They include wifi so cabling will not be an issue. This will isolate security problems from your laptop or PC that you may be using now. So infections will not effect your personal computer documents.

    You can also set your router to isolate your raspberry Pi to a separate network from the one you use for computers, laptops and phones. This way a complete infection of your pi due to poor Kodi security will not effect any of your personal devices or monitor your network traffic.

    The pi runs on SD cards with no hard drive, so if the system is compromised, you can simply wipe the SD card and reinstall. The process takes about 1 hour.

    disclaimer: I am not a raspberry pi seller, but I am a big time buyer.

  33. Re:How to avoid these vulnerabilities by war4peace · · Score: 1

    Is it capable of transcoding 4K bluray-quality H.265 to 1080p without stuttering? I'm yet to find a non-PC device capable of doing so. The Thecus N5810 came close (1080p only though) but no cigar.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)