Topic: subtitle malware (Read 3693 times)

drsea · « **on:** May 23, 2017, 03:54:20 pm »

have read recently that many media center programs have been hit by malware which executes code from downloaded .srt files.

Is there any way that JRiver media center could fall prey to such malicious code?

exploit overview is presented here:
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

I don't have details of how the exploit is carried out, they were not provided, but there was a list of several common media players with the vulnerability, and information that they have been patched.
Thanks!
-rc-

Al ex · « **Reply #1 on:** May 23, 2017, 04:13:10 pm »

Not so good news. I thought these .set files are more or less simple text files.

JohnT · « **Reply #2 on:** May 24, 2017, 01:05:30 pm »

We did some checking and don't think Media Center is vulnerable to this attack. The Checkpoint blog post alluded to potential threats if the subtitle parsing code used by a media player had exploitable bugs. We've looked at our code and don't see anything obvious like a buffer overrun bug. The Kodi player team made a fix that involved thwarting a possible "path traversal" type attack when the program unzips a downloaded subtitle file. This is where a malicious zip file might contain files with paths that purposely overwrite system files and replace them with ones containing the hacker's malicious code. When we grab subtitles from OpenSubtitles.org, we don't unzip directly to a file but instead read the uncompressed data on the fly, so MC isn't vulnerable to that attack either.

JimH · « **Reply #3 on:** May 24, 2017, 01:22:48 pm »

Thanks for reporting it.

Al ex · « **Reply #4 on:** May 24, 2017, 02:18:29 pm »

Quote from: JohnT on May 24, 2017, 01:05:30 pm

We did some checking and don't think Media Center is vulnerable to this attack. The Checkpoint blog post alluded to potential threats if the subtitle parsing code used by a media player had exploitable bugs. We've looked at our code and don't see anything obvious like a buffer overrun bug. The Kodi player team made a fix that involved thwarting a possible "path traversal" type attack when the program unzips a downloaded subtitle file. This is where a malicious zip file might contain files with paths that purposely overwrite system files and replace them with ones containing the hacker's malicious code. When we grab subtitles from OpenSubtitles.org, we don't unzip directly to a file but instead read the uncompressed data on the fly, so MC isn't vulnerable to that attack either.

Thanks for looking into it, glad to hear...

drsea · « **Reply #5 on:** May 24, 2017, 10:08:36 pm »

I appreciate the response. I download my own subtitle files, usually in .srt format, but saw that the Kodi example of the exploit occured with a user downloaded file, which worried me. I usually don't parse the code of the downloaded file except to see that the subtitles are in sync and appropriate.

I am pleased that you are attentive to the details discussed in the forum, and that there does not appear to be any vulnerability.

thanks again.
-rc-

audioriver · « **Reply #6 on:** May 25, 2017, 08:24:26 am »

Thanks for looking into this. Hope the situation doesn't get out of hand, with increasingly dangerous subtitle files etc.

Von · « **Reply #7 on:** May 25, 2017, 05:32:01 pm »

Could this be why Rising Antivirus according to VirusTotal.com gives the following result?

Malware.Heuristic!ET#95% (cloud:vYPtTPTFdzU)

INTERACT FORUM

Author Topic: subtitle malware (Read 3693 times)

drsea

subtitle malware

Al ex

Re: subtitle malware

JohnT

Re: subtitle malware

JimH

Re: subtitle malware

Al ex

Re: subtitle malware

drsea

Re: subtitle malware

audioriver

Re: subtitle malware

Von

Re: subtitle malware