Pwned in Translation - Omer Gull & Omri Herscovici

hello hi welcome to our talk bone in translation from subtitles to remote code execution quick introduction we're a ml anomaly security researchers at checkpoint jumping so this research was conducted about a year ago with the intention of presenting a new a new concept a new attack vector and we call it subtitles drive-by attack and it's important to remember that this is not about the vulnerabilities even though there are plenty of those it's the notion that subtitles are now considered dangerous so let's back up a little bit this is how we use to watch movies at the local cinema but as technology evolved and the internet became faster and we got laser movies entered our living rooms and it could be a laptop a

small TV a Raspberry Pi an actual MIDI Center the streaming options are endless and they're designed with ease of use in mind and to take care of everything for us they put all the metadata for us they pull the trailers thumbnails plotting form and subtitles ok so yeah subtitles the thing these were the statistics of daily downloads from one of the main repositories open subtitles ranging from 7 million up to 10 million a day and obviously subtitles are used for translation for non-native English speakers like yourself but not only now to convey the necessity of subtitles we'll use the power of memes so they're used when you're watching a foreign film or a TV show like an anime or a

pretentious French film they're used for convenience in case there are any sort of sound imitations and they're used in Guy Ritchie's movies sometimes they also provide a critical node for the but they usually have a lot more than just text display so let's explore the subtitles landscape we all know SOT and subtext the most basic subtitle file it's about a basic set of HTML tags like bold and italic and etc and there's also the sub format that stands for subviewer it supports basic formatting like colors and fonts but sometimes sub actually stands for MP sub that supports none of the above and at different occasions sub can also stands for micro DVD subtitles now this app supports formatting color

schemes font configuration subtitles location and different character sets another common format is the substation alpha it's a bit more sophisticated it sports predefined stylings fonts complex color palettes outline shadow alignment marginl forever and encoding but it gets even more impressive as we move on to advanced substation alpha now the SS contains all the functionality of SSA with some interesting additions so the SS format supports scaling angle shifting binary image embedding binary font embedding drawing if we actually do a small dinosaur in the subtitles and the specification even mentions system comments functionality its allow executing a specified program as background tasks and we truly hope no one ever implemented these bizarre feature so vector subtitles there are

actually [ __ ] loads of subtitles all in all during our research we encountered more than 25 subtitle formats sam'l binary some textual none well documented so we asked ourselves can the unregulated nature of the subtitle Magnus be exploited okay so I will first target was the most notoriously I mean played for platform we know a pokkan time this multi-platform Netflix for pilots integrated a deadly combination of a BitTorrent client a video player and and less skyping capabilities it's all under a very friendly graphical user interface even my mother uses it which is a key lead in every research we conduct so this beautiful WebKit powered interface is packed with movie information and metadata it was Saints trailers plot

summaries cast information couple photos IMDB rating in much more but the way it does it so elegantly beautiful is by using a platform that supports web technologies now the technologies as html5 css3 and JavaScript built on top of a no js' engine okay so the main the two main frameworks that allow this in wjs and electron both multi-platform util utilizing chromium and supports external plugins okay so we know they look good but available to anything well these underlying technologies are very interesting for me Atticus perspective because what might be considered a weak vulnerabilities in at least in a bad bounty programs like XSS can actually result in code execution because no js' is essentially a JavaScript engine with

server-side capabilities and all you need to do in no js' in order to pop calculator is use this code which imports the child process library and uses its exact function with calc as the argument now we'll talk about this in a minute but back to Popkin time to make life even easier subtitles are being fetched automatically for both the viewer Vincent the attackers and the question remains can this behavior be exploited so behind the scenes Popkin time uses open subtitles as the sole subtitles provided with over a four million entries in a very convenient API it is an extremely popular depository so this API does not only allow for search and download of subtitles but it also

has a commendation algorithm to help you find the right file for your a for your movie and release and we'll dive deeper into that process a bit later it turns out to be a key step so gaining some knowledge about pokken time infrastructure let's see how subtitles make the way from a download to scream so our journey begins as soon as the user starts playing a movie now open time downloads a subtitles and converts them convert whatever format it gets to an SRT timecode ok so after the conversion it's best to the update display function now this function will create an HTML span containing the subtitle text so since the SRT format supports HTML tags and this is a WebKit

they didn't need to make any implementations for HTML it's obviously built with HTML to its core but perhaps we can write other things than HTML like JavaScript and sanitize JavaScript within a node WebKit application okay so let's write this simple one this is our standard SOT file looks like when you open it and as we already know it supports HTML tags but what if we try to load an image that doesn't exist and provide it with an we attribute well exercise 1 1 we know the on a little bit chemical and JavaScript so brace yourself yeah we got our first one ability for the research we managed to make subtitles pop a message box aim that's not good enough

let's try something a bit more advanced

okay so what if instead of the alert we write a code to clean things up remove the Rivini icon of the broken image and append our malicious payload to the page which will dynamically create a script loaded from a remote host I will host ok so needless to say just as we showed earlier evil j/s will utilize the nodejs capabilities of the framework tool and process let's take a look this is almost get Diego hey you can see the user opening Popkin time to disease favorite movie starts plain

choose the subtitles

this is here we get an attackers perspective

[Applause] thank you okay so um we were able to make a malicious subtitles for Popkin time which is great but how would the user get our subtitles so let's talk a little about this subtitles supply chain with an average of 8 million daily downloads open subtitles is the world largest online community for subtitles the extensive API is widely integrated into many adult video players and among the basic functions you would expect to find in such API is the search and download the Smart Search capabilities is essentially a change function requesting all relevant subtitles from the server and its salts and ranks them returning the best matching subtitles for your movie and release let's take a

look okay so the Smart Search now looking at the request of the Smart Search and being sent to the open subtitles API we can see the only argument passed is IMDB ID now along with the required languages in this case all languages while the response contains all matching subtitles to that I am the bidding okay so obviously Popkin time automatically automatically loads the subtitles with the highest rank but what determines the link so skimming through the documentation we bumped into this ranking scheme so we can say that the score is based on five criteria a movie hash tag which is fine name I am the B ID fps and something called others so also extra points are being

credited for being an admin or a trusted partner but since the only argument sent by Popkin time is the IMDB ID if we would have wanted our malicious subtitles to be chosen by the API the maximum points we could get is 5 as been anonymous upload so a bit discouraged by the documentation and the skull we saw in other popular movies which were higher than 5 we turn to the source code of the open subtitles a P I am obviously learned a valuable lesson if you truly want to break something looking at the documentation is not the way to go because the source code revealed an undocumented behavior the match tags function is called either way okay but

what is match tags so the match tag function will break the file name of the movie and the subtitles to tags now a tag is basically an isolated world or the number a found in the file name usually separated by dots and dashes and then a short loop checks how many shelled eggs does the subtitle file name and the movie filename have in common after that a wield formula is taking place the amount of shell text is divided by the number of movie text tags and multiplied by a max score of 7 which is the max code that can be signed in case of full compatibility so a bit complicated let's see a demonstration of

these functions behavior let's assume assume that this is the movie file name streamed by Popkin time this is easily checked using a sniffer and this is a name of a candidate subtitle a file name offered to the ranking algorithm so the code the code fails splits the movie file name into tags it then splits the subtitle file name and the match tag the match tag functions a checks how many shelters they have three in this case so the API then goes to its formula which is a shell text 3 and divided by the tags in the movie filename 8 we see that on the left x max co which is a constant number of 7 this

gives us the final score of 2 okay well this behavior makes it trivial to for us to achieve full compatibility because all we have to do is name our malicious subtitle identical to me the movie file name and so this gets us a full computer compatibility 7 plus the IMDB ID 5 points we already had and we get 12 points but wait there's more because these are the recommended subtitles for some of the most popular a content available online a Deadpool falls and Inception snow then and westward season 1 episode 1 these graphs show this call of the 7 most popular languages in the world displaying the average and the highest score so scanning automatically full a

bunch of popular subtitles we notice that the highest call a subtitle got was 14 while the average is around 10 so at this point we show that we can consistently achieve a solid score of 12 a higher than the average but less than 14 so we'll obviously still unsatisfied and as you recall extra points I'll be credited for being ranked user calling open subtitles website we found this table now apparently all it takes to become a gold member in an extra three points is a hundred and one uploads so we sign up to open subtitles and four minutes later and 40 lines of Python we will golden okay so we wrote a small script that gets the score of all

subtitles available for a given movie as you can see our subtitle has the highest score of 15 so what this basically means that given any movie we can force your player to load our crafted malicious subtitles and exploit your machine okay so let's see what else we can do with it um we'll take it hi so Cody which is formerly known as XBMC is an award-winning open-source cross-platform media player it is available for all major platforms 72 languages and it is used by over 40 million users around the world so it makes it the most common media center software around and Cody is also a popular combination with raspberry PI's and Smart TV making it kind of

interesting from attackers perspective so this is the screen that is displayed when a user want to download subtitles using Kodi and this is the request that is being sent by Cody we recognize it as we were already kind of familiar with open subtitles API structure and this is the code that is actually fetching the subtitles so let's go over it first the search subtitled function is called and the response is saved into a variable called search data then a for loop will iterate over these results extracting the information from them and formats them into a string called ull then each of these created URL is sent to the directory item function which in return results in this screen

now the user can simply select his desired subtitles but let's focus on that URL string for a moment so since open subtitle is obviously open the attacker has complete control over the file name parameter which is received under the value of sub file name and here we see how each of these four keys in item data alpha mattered into that URL string so given the given the fact that the attacker completely controls the file name what can we do with it so usually the file name will be something like this subtitle file name dot SOT but what if afterwards we append the ampersand sign and then something like this so this would effectively overwrite the

original link and IV parameter which we originally didn't have any control over it simply because this is a string and it is being passed by a very basic split function how does this help us well once the sorry once the user chooses his subtitle the download function would be called and the argument to that download function are derived from that URL and these are the arguments we can now control the ID and the link so how does this function behaves first it uses open subtitle API to download the subtitles based on the ID given to it but the interesting part is what happened if it fails if the ID does not exist then we go to the not result branch which

download a zip file from the link given to it so by changing the ID to something that doesn't exist such as - 1 2 3 and overwriting the link to point to a zip file that is stored on our servers we for Scottie to download a remote zip file now after download the zip file is sent to a function called XBMC extract and here instead of using the standard library for any zip extraction Cody decided to implement their own which as we all know is usually a great idea right so downloading an arbitrary zip file from the internet is definitely but training this behavior with another vulnerability we found in Kody built-in extraction made it lethal so let's see

what Kody built in extract archive function does is building a file path based on the folder names inside the zip but what Kody neglected to handle our folder names that contains two dots so I don't need to tell you guys we have directory traversal here so all we have to do is create a zip archive that contains dots as folder names and then we can make the extraction create a Python script instead of the add-on script itself which will be immediately called again thus executing our code so that would be the second vulnerability for today let's see that in action

you

so the users open up Cory look for his favorite film

now this is the subtitles window we discussed earlier here it's loading everything so like we told you we completely control open subtitles so we don't have nothing to worry about first top three hits are our malicious subtitles so he can choose whatever you want again we get the attacker perspective

and we get the reverse

all right moving on to the next victim well popcorntime definitely marked the rise of string me ups but being temporarily shut down by the MPAA it left users looking for alternatives and stem io offer just that like popcorn time it is designed with ease of use in mind and has quite similar user interface by the way this is also the platform that both of us use at home so we thought it will be fun to give it a shot and interestingly enough EMI shares a few characteristics with Popkin time under the hood most importantly for us it is also a WebKit based application and you guessed it right it uses open subtitle as a subtitle provider so we just try the

same trick we used on popcorn time you can actually see the broken image icon at the bottom but no message box was popped so that didn't work apparently our JavaScript has been sanitized and it was time to dig a little deeper so stem our code is archived as an ASL file which is a simple tar-like format that concatenates all file together just without the compression we use the node.js library to extract it and we got all the necessary files we needed in order to inspect the code extracting the source code and prettifying it we realized that any text editor screen is passed through angular sanitize this sanitize service will pass an HTML and only allow for

safe and whitelisted markup and attributes to survive thus sterilizing all strings so it contains no scripting expressions or dangerous attributes now having to use only static HTML tags with no scripting capabilities really limited our option so this calls for quite a creative solution if you've ever used tremolo you must be familiar with their supporters pop-up banner now we know that we can use HTML tags right so what if we present the supporters image to the user using the image tag but we surrounded with an href tag this way there is no JavaScript to be sanitized and one the user would click the pop-up in order to close it he will be redirected once again to our a malicious JavaScript

again popping a calque so let's take a look at our third vulnerability for today

and there's a click it in order to close it and we get a call yeah so realizing the disastrous potential of subtitle as an attack vector we move on now I'm pretty sure that there is no need to introduce our next target with over 180 million users VLC is one of the most common media players out there it's open source portable and cross-platform framework it is available for almost any platform imaginable at this point yen I live now a former member of our team join us and much of is much of the work shown here is due to his contribution so we'll see we'll see is in fact a complete multimedia framework just like directshow or

gstreamer if you're familiar where you can load and plug in many modules dynamically depending on the necessity and actually the co pham ngoc is just used to do the wiring and the media processing so from inputs whether it's files or network streams to outputs whether it's audio video on screen on a network it uses modules to do most of the work at every stage like various democ sir's decoders or filters and being described even by its own authors as very popular but quite large and complex piece of software we were confident that we can find subtitles related vulnerabilities so let's go over them textual subtitles are passed by VLC in a democracy called subtitles dot c

these are all the supported formats and the respective parsing function and yes that's a lot and the de-mux l only job is to pass the different timing code of each format and send the subtitle to its decoder now other than ssa and a SS that are recorded by a dedicated library called li biases all other formats are decoded by VLC's own decoder subs Dec inevitably things are about to go wrong so subs Dec takes every subtitle let's take SOT for example and pass its text field it will create two versions of it the first is a plain text version with all tags attributes and styling stripped off this this version is used in case later rendering will fail the second

more feature-rich version is referred to as the HTML subtitle HTML subtitle will contain all the fancy styling and attributes such as phones alignments etc after being decoded subtitles are sent to the final stage of rendering so going over the VLC subtitle related code we immediately notice that a lot of parsing is being done using raw pointers instead of built-in string function which is generally a bad idea now let's see an example of it again this is how the basic SRT subtitle this code use the PSD subtitle variable to parse the subtitle one byte at a time in this case the code just identified the HTML phone tag so it then moved on to consume it attributes the face

attribute in this example the decoder will continue reading from the buffer until the closing bracket is met what this means is that in case the bracket is missing the puzzle will just keep on reading resulting in an out of bound read for nobility that's fourth for today and why loading the code manually we also started fuzzing VLC for subtitle related vulnerabilities obviously our weapon of choice was the brilliant AFL this security oriented father compiled employees compile time instrumentation and genetic algorithms to discover new internal states and trigger edge cases in the target binary so getting the first command was actually a bit tricky we created the copis and created the dictionary but our main obstacle was the

fact that our fuzzing server had no GUI so we overcame this challenge by using that transcode functionality this option will make vs ik convert a movie from one codec to another while attaching the subtitles but presenting nothing which was perfect for us so moving on to the corpus corpus is a set of initial test cases comprised of valid files that represent the protocol or the functionality being fast now we plan to start with SOT an ESS simply as these were the format that we researched first so for a corpus which are picked some of the various files that incorporates some of the more exotic features that we discussed earlier and this is the basic time convention of the SOT format and we

intended adding more formats to the copis as we go along but the amazing thing is we didn't have to because FL just blindly built valid subtitle files of different formats with zero knowledge in this case he created the jss format all by itself so this is a demonstration of one of AFL greatest strength assembly level instrumentation because the odds of a traditional father simply flipping bits to convert the time convention of SOT and turn them into JSS are extremely low however through assembly level instrumentation FL notices how minor mutation trigger slightly different code paths and uses those as a seed for further fuzzing grounds so great job FL and it didn't take it too long to look

down on a vulnerable function called parse JSS now jss stands for Jayco subscript files and this format is a really flexible format allowing some really interesting for functionalities it relies heavily on something called directives a directive is a series of characters strung together and they can determine the subtitle position font color so forth and they come in two forms they come either as a global directive that affects all subtitles below it in the text file as an inline directive affecting only the current line so these are some of the more common cases directives out there this is T it stands for timer and it is used to set the time resolution one hundred units a second in this case s

which stands for shift and it will cause all events to occur a twenty time units sooner than usual F will set font number three because you can predefined up to ten formats to Jacob font 18 which is a mono color fonts available in JSS for an inland directive here's an example CP two will display the following text using color palette number two that can also be predefined by the user so yes it's really weird and VLC doesn't do a great job in parsing those let's see looking at the basic pasta SS function we can see that VLC iterates over the lines with a while loop again one bite at a time it passes the time codes and a handful

of supported directives and the text itself obviously and the crushed found by FL was due to an out of bounds read while trying to skip unsupported directives here and throughout PSD text is a pointer to null terminated string allocated on the heap and the code assume that that directive is always followed by a space therefore it will look for that space to indicate the end of a directive in case that directive is written without any following spaces this while loop will just skip the null by terminator and overrun the buffer so that's number 5 and this got our attention to the pasta SS function and we soon manually found another 2 out of boundary issues in the passing of

directives that were supported so moving on with the jss format we stumbled upon the color and fonts directives as you can see the code includes a double increment to skip from the directive right to the argument but in case a directive didn't contain any argument to follow it meaning it ended with a null termination this double increment would just skip the null terminator but let's see how this code is combined within the bigger picture so this entire chunk of code is within a while loop here's our double increment right there and skipping the null byte we remain in that while loop copying from ps3 techs to ps3 text - however ps3 tax - is only the length of

ps3 text plus 1 so while we are reading out of buffer at one point we are actually writing out of buffer at another point and this 6 vulnerability a he pasted overflow actually allowed us altum Utley to execute arbitrary code at another case you can see that when the passing loop reaches a null terminator in a very specific case it intentionally decides to skip it making this number 7 and in my opinion the weirdest of them all so let's talk about exploitability for a second these bugs are definitely not trivial to exploit however it is interesting to note that the main binary of VLC is not a SLR of Pi in Linux by design the main binary is just do just

do the wiring between liberal psycho and the plugins but it offers some quite useful gadgets for example these gadgets that will find whatever symbol is in other side and call it with Alby X as an argument which is quite useful right so for a quick PLC we had an eye to develop an expert for this vulnerability for the moment ignoring s allow let's see a demo of it

and we get a couple so thank you let's sum up this research we discussed the complete madness that is the subtitle landscape we saw we had over 25 subtitle formats none of them well documented without any dedicated library and zero standardization between players we were able to gain full remote code execution on four major platforms now please note that these were the only platforms that we looked at it so it means that other platforms are there are probably four noble to subtitle drive-by attacks we were also able to manipulate the subtitle repository ranking scheme thus taking control completely over the entire sub subtitles supply chain and this means that what we just presented is a new malware delivery system

completely transparent and requires no user interaction which in our case included over 220 million potential victims and the notion of attackers being able to upload malicious subtitle to a major repository and forcing different players to download them should now be taking into account as a new valid attack vector and prepare the security vendors and Industry to mitigate it now for the moment we've all been waiting on Lee and myself we made a little bonus for ru for you we curated our favorite color popping sins into a beautiful compilation actually on the first draft of this talk this bonus was titled two girls one cluck yeah but then we almost got fired so we had to tone it down a little bit here it

is enjoy people sometimes make mistakes yes they do it's not a real hoist this box just interprets signals from the computer and turns them into sound shall we yeah what is it say what I think is [Music] my damn that would it [Music]

and that's just a sample of the exciting exploits ahead in our first feature motion picture holy memoranda folks make a note not to miss it good thinking Robin [Music]

thank you