Join Our Community!Join Our WhiteHat Group On facebook & Stay Updated.

Subtitle Hack Leaves 200 Millions Vulnerable to Remote Code Execution

A proof of idea assault utilizing noxious video subtitle documents uncovers how foes can execute remote code on PCs, Smart TVs and cell phones utilizing well-known video players and administrations, for example, VLC Media Player, Kodi, Stremio and Popcorn Time.

Threat Post

“This is a brand new attack vector. We haven’t seen this kind of assault yet in nature. However, we accept there are upwards of 200 million video players and streamers defenseless against this sort of assault,” said Omri Herscovici, group pioneer for items innovative work at Check Point Software Technologies.


Herscovici said every media player Check Point taken a gander at has a special helplessness that enables a remote assailant to at last execute code and pick up control of the focused on the framework. With the VLC player, specialists could exploit a memory defilement powerlessness to pick up control of a PC. With other media players and streamers, Check Point said it would not uncover the specialized subtle elements until programming updates were sent to clients.


VLC engineers were reached in April and made mindful of four separate vulnerabilities, Herscovici said. Every one of the vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) has been fixed.


Check Point is basing the extent of influenced clients on openly uncovered numbers given by merchants. As indicated by VLC, 170 million clients have downloaded the player since June 2016. Kodi reports more than 40 million one of a kind clients of its video programming every month.


In its confirmation of idea assault, Check Point says casualties are induced to visit a noxious site that utilizations one of the gushing video players, or they are deceived into running a malevolent subtitle document on their framework that they deliberately downloaded for use with a video.


“By leading assaults through subtitles, programmers can take finish control over any gadget running them. Starting here on, the aggressor can do whatever he needs with the casualty’s machine, regardless of whether it is a PC, a shrewd TV, or a cell phone. The potential harm the aggressor can dispense is unending, running anyplace from taking delicate data, introducing ransomware, mass Denial of Service assaults, and considerably more,” composed Check Point in an examination blog with respect to the assault vector.


Check Point said awful coding of subtitle parsing usage is at the heart of the defenselessness.

“There are many subtitle designs, from SRT, SUB and GSS – and no norms for parsing. Every one of the players we took a gander at utilizations a homegrown form of a subtitle parsing usage. Furthermore, every one of them had a remote code execution imperfection,” Herscovici said.


In each assault situation, the pernicious subtitle record must be chosen to keep running with the video.

In another assault situation, a casualty plays a video that is pre-customized to naturally download a subtitle document from an online store, for example, Specialists say an aggressor can transfer pernicious subtitle documents to those archives and falsely expand the record’s positioning. Video players are told to download the most noteworthy positioned subtitle document.


According to the threat post, “These vaults hold broad potential for aggressors. Our scientists were additionally ready to demonstrate that by controlling the site’s positioning calculation, we could ensure created noxious subtitles would be those naturally downloaded by the media player, enabling a programmer to take finish control over the whole subtitle inventory network, without depending on a man-in-the-center assault or requiring client cooperation,” composed Check Point specialists.

Check Point in a research blog regarding the attack vector.