Thread replies: 55
Thread images: 4
Thread images: 4
Anonymous
Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Chink Cartoons 2017-05-24 02:44:17 Post No. 60555540
[Report] Image search: [Google]
Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Chink Cartoons 2017-05-24 02:44:17 Post No. 60555540
[Report] Image search: [Google]
File: Hacking-media-player.png (113KB, 728x380px) Image search:
[Google]
113KB, 728x380px
Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Chink Cartoons
Anonymous
2017-05-24 02:44:17
Post No. 60555540
[Report]
Be reminded that your chink cartoons can haxxor you into kingdom come.
https://thehackernews.com/2017/05/movie-subtitles-malware.html
>>
>>60555540
This is why you don't overcomplicate stuff.
A subtitle needs three pieces of information. A timecode, the text, and an optional position. That is literally it.
>>
>>60555561
Colour and font is important too
>>
>>60555574
Ehhhhh
>>
>>60555574
>THE TEXT!
>>
>>60555574
Some hardworking teams that work on creating subtitles for 2D animation try their best to overlay translated text in the exact position where they appear on the screen as they move.
>>
>>60555574
this should be part of the media player, not included in the file
>>
>>60555540
>Just watched some anime with subs
I downloaded the series a few months ago
Am I safe?
>>
>>60555726
Yes. The fact that this was discovered just now means that it has probably existed since the ability to parse subtitle files with advanced features came into being.
>>
>>60555738
>>60555711
Err. I mean no.
>>
>>60555738
>>60555748
How do I scan for something like this?
>>
>>60555753
You can't yet. This was disclosed 5 hours ago.
>>
>>60555561
And then someone fucks up the parser or makes the rendering too intelligent or whatever anyhow.
Same as with SQL injections and everything else.
>>60555753
You don't. You use players that patched whatever vulnerability there was.
>>
File: 1415970066950.png (129KB, 400x1575px) Image search:
[Google]
129KB, 400x1575px
>>60555540
I wonder who could be behind all this?
>>
>>60555767
How the hell do you fuck up a parser of .srt? It's stupid af (https://matroska.org/technical/specs/subtitles/srt.html)
>>
>>60555574
Not according to Funimation.
>>
>>60555540
what possible exploit could exist in a srt parser??
>>
>>60555561
B-but my snowflake subs!
>>60555574
Good thing users can adjust them to their preference then. Personally, I like yellow Franklin Gothic prosubs.
>>
>>60555540
>VLC — Popular VideoLAN Media Player
>Kodi (XBMC) — Open-Source Media Software
>Popcorn Time — Software to watch Movies and TV shows instantly
>Stremio — Video Streaming App for Videos, Movies, TV series and TV channels
Just use MPC-HC
>>
File: 1495065362263.png (2KB, 200x200px) Image search:
[Google]
2KB, 200x200px
>tfw I have VLC 2.2.5 so I'm already protected
>>
>>60557305
They can introduce shitty subs into your video player.
It's almost as bad as having to hear English in anime, but imagine that horror for your eyes.
>>
>>60555540
>VLC
We told you not to use it.
>>
i either watch livestreams or raws though
>>
>>60555561
It's not the subtitle file itself that's the vector. Try reading next time, retard.
>>
>>60555540
Be reminded that this is an AD by some lame "security" company
>>
>the vulnerability is in parsing .srt subs
Those are the most basic of all subtitles! Literally just a time stamp and the subtitle string per line. How do you fuck this up?
I am pretty sure I know what it is doing. They found that the players don't handle the text strings in a safe way and it must just launch a background RPC call to the attacker computer. Basically the applications were probably ASSUMING the subtitle text was safe and did no checking on it. Basic sanitation 101 people.
>>
What kind of shitty media player are you using that has exploits that would allow subtitles to "hack" your computer?
>>
>>60559066
VLC.
>>
>>60555540
>mpv not on list
Oh so it's nothing
>>
Wait, so is this only a problem with srt?
Lol, ASS master race here.
>>
>>60559384
It's not a problem with srt, it is a problem with how those players were parsing the srt.
srt subtitles are the most basic, there is no formatting just a string and a timestamp when it should be visible.
srt parsing in VLC may be handled by libass, so potentially ASS subs could have been vulnerable as well if they were handled through the same vulnerable code, but it's still pretty funny they could fuck up parsing that badly.
>>
>>60555540
Can you link to original and not your blog next time
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
>>
>>60555540
Oh, fuck, now i have to update kodi on my htpc. I fucking hate 17 design.
>>
>>60555540
does this affect me if i only stream from my plex server
>>
>>60559874
Potentially, yes. If your plex server automatically downloads subtitles or you download a video with a crafted subtitle file embedded and you load it.
>>
>we tested media players
>didn't test mpv
It's shit site than.
I use mpv, Am I safe?
>>
>>60559976
Maybe. A quick look shows that mpv uses libass which is what VLC uses, so it is possible that if they haven't updated it yet mpv would be vulnerable, but there may be other factors involved.
>>
Old time MPC user who uses VLC just in case MPC refuses to play something
>just ran my vlc to check its version
>2.2.4
>ok, time to update
>Click check for updates
>You have the latest version /anon/!!
>go directly to the site, last version is, 2.2.5 indeed
WTF! get your shit stogether VLC!
I went to the site and downloaded 2.2.5 but if a common users sees the "you have the latest and greatest" they will dont do further shit
>>
File: 1265828186224.png (1MB, 1920x1200px) Image search:
[Google]
1MB, 1920x1200px
>>60555540
I've switch to streaming since 3 years ago.
Can't be arse with downloading anymore because most of fresh uploaded stuff either SD stream shit quality from HS and stream site is fucking fast at uploading right now and provide the same quality with HS stuff.
>>
>>60555540
but what about mpv
>>
>>
>another vulnerability introduced by feature bloat
looks like mpv wins again
>>
Can anyone provide a link to one of these files ?
>>
Apple MacBook Pro with TouchID doesn't have this problem
>>
>>60555540
>windows
~yawn
Every single time
>>
>>60560180
>LIBASS
>LITERALL ASS
GO FIGURE
>>
>>60559976
NO ONE USES SHITPV
EVERYONE USES MPC-HC BECAUSE ITS GOT MORE LETTERS
>>
https://github.com/mpv-player/mpv/issues/4449
>rossy commented 13 minutes ago
>>it would help if someone would clarify - since several players are affected, it looks like a vulnerability in a library used by all of them.
>This is misleading on the part of the original article. It's actually describing four independent vulnerabilities that they found in each player, for example, the Kodi one is a logic error in their zip decoder and the VLC one is a buffer overflow in their internal subtitle decoder. The only commonality is the attack vector, online subtitle repositories.
>>
>>60561931
MPV SHILLS ON SUICIDE WATCH
>>
>>60561944
ALL HAIL NOT MPV
>>
>>60555540
>subtitile files
It's the automatic subdownloader.
>>
Why can't no one on /g/ do a fucking diff
https://pastebin.com/M49Frrpe
Here's the bug, they were parsing html without checking for \0.
Good media players most likely not affected unless they copied code from vlc like the other 3 affected.
>>
Sorry to bother, but I'm not savvy enough to really understand what I'm looking at and would like to learn. Can anyone explain this in more detail than the article / in simple terms or tell me how to safely figure out if MPC-HC is affected? Does it only affect you if you're downloading subs through your player rather than already having subs in the file itself?
>>
>>60563330
It only affects vlc and anything that shamelessly copied code from vlc.
mpc and mpv should not be affected by the same vulnerability.
>>
2.2.6 for VLC was just released
>[videolan] VLC media player 2.2.6 is pushed to Windows users, for a couple of regressions and security issues. mac builds are under way.
Thread posts: 55
Thread images: 4
Thread images: 4