Re: [情報] 惡意 SRT 字幕檔漏洞
※ 引述《jmlntw (吉米林)》之銘言:
: Hacked in Translation - from Subtitles to Complete Takeover | Check Point
Blo
: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
: Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Movies
: http://thehackernews.com/2017/05/movie-subtitles-malware.html
: 國外研究發現 VLC、Kodi(XBMC)、Popcorn Time、Stremio 有安全漏洞,
: 駭客可以透過一個惡意的 SRT 字幕檔案入侵使用者的電腦。
: 實際 DEMO 影片:https://www.youtube.com/watch?v=vYT_EGty_6A
: 使用者在播放程式載入 SRT 字幕檔之後,駭客就能完全操作受害者的電腦。
: 不過在專家通報這個漏洞之後,這些播放程式都已經做出修正。
: Stremio 出了 4.0 beta 版補洞、VLC 最近兩周內會出 2.2.5 補洞、
: Kodi 預計在這周出 17.2 補洞、Popcorn Time 已經釋出修正檔。
: 建議有在使用這些播放軟體的人最近多留意一下。
沒有提到MPC-HC所以就查了一下
https://trac.mpc-hc.org/ticket/6169
No, MPC-HC doesn't allow overwriting arbitrary files when extracting files
from a downloaded ZIP file. It only extracts files with a valid subtitle file
extension.
不受影響,因為不會從ZIP載入非字幕檔
跟ZIP有關??? 再查了一下
Kodi v17.2 修復說明:https://goo.gl/CvSePP
‧Fix possible security flaw which could abused .zip files which try to
traverse to a parent directory
修復ZIP檔案安全漏洞
才發現原PO被不清不楚的文章和影片誤導了…
原文中malicious subtitle files並不是指SRT格式
而是含有字幕檔的ZIP檔案
利用撥放器漏洞執行ZIP內的惡意程式
這在原文和影片中完全沒有提到
搞得一堆人以為是字幕檔本身有問題 = =
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 122.116.86.145
※ 文章網址: https://www.ptt.cc/bbs/AntiVirus/M.1495796490.A.107.html
→
05/26 20:26, , 1F
05/26 20:26, 1F
推
05/26 21:12, , 2F
05/26 21:12, 2F
你的意思是字幕檔本身也有漏洞?
推
05/26 22:03, , 3F
05/26 22:03, 3F
→
05/26 22:04, , 4F
05/26 22:04, 4F
推
05/26 22:38, , 5F
05/26 22:38, 5F
→
05/26 22:39, , 6F
05/26 22:39, 6F
→
05/26 22:39, , 7F
05/26 22:39, 7F
這就原文的影片啊,
簡單的執行Kodi選擇字幕然後就被控制了,
完全沒有提到是什麼類型的字幕…
Kodi v17.2 修復說明底下還有一段就是回應 Hacked in Translation
↖ 超連結該文
You may have read in the news that malicious subtitle zip files could
potentionally infect and harm your media player including Kodi. When Check
Point researchers uncovered this flaw they contacted us up front to let us
know about this flaw. Our developers fixed this secuity gap and have added
the fix to this v17.2 release.
Kodi v17.3 https://goo.gl/A2NHyB 又追加了一段
To be clear this possible vunrability is only present when you first enable a
subtitle dowload add-on and then actually download zipped subtitles. Any
subtitles that you already have as text file, are embedded in the video
stream or are included with you DVD or Blurays are safe.
受影響的只有下載的ZIP字幕,
其他文字格式的字幕、串流影片內嵌字幕、DVD、BD都安全。
MPC-HC的回應也是人家拿 Hacked in Translation 那篇去問的,
也是提到不會從ZIP檔案中執行非字幕檔案,所以不受影響。
這樣看下來很明顯就是撥放器有漏洞去載入ZIP夾帶檔案造成的吧!
※ 編輯: mkz6 (122.116.86.145), 05/26/2017 23:39:04
推
05/27 01:23, , 8F
05/27 01:23, 8F
推
06/10 12:19, , 9F
06/10 12:19, 9F
討論串 (同標題文章)
完整討論串 (本文為第 2 之 2 篇):
情報
13
26