INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: subtitle malware  (Read 3695 times)

drsea

  • Member
  • *
  • Posts: 2
subtitle malware
« on: May 23, 2017, 03:54:20 pm »

have read recently that many media center programs have been hit by malware which executes code from downloaded .srt files.

Is there any way that JRiver media center could fall prey to such malicious code?

exploit overview is presented here:
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

I don't have details of how the exploit is carried out, they were not provided, but there was a list of several common media players with the vulnerability, and information that they have been patched.
Thanks!
-rc-
Logged

Al ex

  • Citizen of the Universe
  • *****
  • Posts: 551
Re: subtitle malware
« Reply #1 on: May 23, 2017, 04:13:10 pm »

Not so good news. I thought these .set files are more or less simple text files.
Logged

JohnT

  • Citizen of the Universe
  • *****
  • Posts: 4627
Re: subtitle malware
« Reply #2 on: May 24, 2017, 01:05:30 pm »

We did some checking and don't think Media Center is vulnerable to this attack.  The Checkpoint blog post alluded to potential threats if the subtitle parsing code used by a media player had exploitable bugs.  We've looked at our code and don't see anything obvious like a buffer overrun bug.  The Kodi player team made a fix that involved thwarting a possible "path traversal" type attack when the program unzips a downloaded subtitle file.  This is where a malicious zip file might contain files with paths that purposely overwrite system files and replace them with ones containing the hacker's malicious code.  When we grab subtitles from OpenSubtitles.org, we don't unzip directly to a file but instead read the uncompressed data on the fly, so MC isn't vulnerable to that attack either.
Logged
John Thompson, JRiver Media Center

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72438
  • Where did I put my teeth?
Re: subtitle malware
« Reply #3 on: May 24, 2017, 01:22:48 pm »

Thanks for reporting it.
Logged

Al ex

  • Citizen of the Universe
  • *****
  • Posts: 551
Re: subtitle malware
« Reply #4 on: May 24, 2017, 02:18:29 pm »

We did some checking and don't think Media Center is vulnerable to this attack.  The Checkpoint blog post alluded to potential threats if the subtitle parsing code used by a media player had exploitable bugs.  We've looked at our code and don't see anything obvious like a buffer overrun bug.  The Kodi player team made a fix that involved thwarting a possible "path traversal" type attack when the program unzips a downloaded subtitle file.  This is where a malicious zip file might contain files with paths that purposely overwrite system files and replace them with ones containing the hacker's malicious code.  When we grab subtitles from OpenSubtitles.org, we don't unzip directly to a file but instead read the uncompressed data on the fly, so MC isn't vulnerable to that attack either.

Thanks for looking into it, glad to hear...
Logged

drsea

  • Member
  • *
  • Posts: 2
Re: subtitle malware
« Reply #5 on: May 24, 2017, 10:08:36 pm »

I appreciate the response.  I download my own subtitle files, usually in .srt format, but saw that the Kodi example of the exploit occured with a user downloaded file, which worried me.  I usually don't parse the code of the downloaded file except to see that the subtitles are in sync and appropriate. 

I am pleased that you are attentive to the details discussed in the forum, and that there does not appear to be any vulnerability.

thanks again.
-rc-


Logged

audioriver

  • Citizen of the Universe
  • *****
  • Posts: 514
Re: subtitle malware
« Reply #6 on: May 25, 2017, 08:24:26 am »

Thanks for looking into this. Hope the situation doesn't get out of hand, with increasingly dangerous subtitle files etc.
Logged
Windows 10 Pro x64

Von

  • Regular Member
  • World Citizen
  • ***
  • Posts: 175
  • nothing more to say...
Re: subtitle malware
« Reply #7 on: May 25, 2017, 05:32:01 pm »

Could this be why Rising Antivirus according to VirusTotal.com gives the following result?

Malware.Heuristic!ET#95% (cloud:vYPtTPTFdzU)

Logged
Pages: [1]   Go Up