Doesn't need to be an .exe

>Doesn't need to be an .exe

>just the text file

>Antivirus cannot scan it

Other urls found in this thread:

matroska.org/technical/specs/codecid/index.html
en.wikipedia.org/wiki/SubRip#Formatting
mpv.io/manual/master/
twitter.com/SFWRedditGifs

Hola, reddit.

>no source other than some retarded headline

why would i post source you nigger, I thought you faggots didn't like giving clicks

>le anti-piracy shilling

go away, redditor.

post it on archive and then post the link, nigger

>I like reading books but I hate buying them from the book store
>sends a book cover
>I can't read this, this is just a cover
>Wtf user I though you didn't like buying books

Pastebin the actual article content, you fucking troglodyte.

>not watching raws

>why would I post source you nigger

It is true but it is only in shitty turrent stream apps like popcorn time that dont use srt.

Subtitle files are parsed by the players, and can execute remarkably complex visual effects.
It's not entirely surprising that this is possible, nor that it was overlooked.

already fixed with Kodi 17.3 don't forget to update
probably libreelec release is on the way too but can't say anything about openelec fags

> He doesn't learn the native language of a video

Fucking plebs

Also VLC 2.2.5.1. It's an exploit in an ancient Amiga subtitle format (JACOsub), which can be embedded only in Ogg containers, but not MKV or MP4.
matroska.org/technical/specs/codecid/index.html
Watch out for rogue .jss subtitle files.

Nevermind, LibreElec updated it just today
no update on Openelec tho

what the fuck, so srt files can fuck my computer up now?

Windows on its own has like 50 different executable file types, fonts and their ilk have been repeat offenders over the decades too.

Either archive link or pastebin

>update
>mfw Media Player Classic

SubRip files for example can contain simple, unstandardized HTML-like formatting codes. If you fuck up parsing those correctly, you can take over a media player.
en.wikipedia.org/wiki/SubRip#Formatting

MPC doesn't even support that format, you're fine.
//Subtitles Format: 0=all, 1=MicroDVD, 2=SAMI, 3=SSA, 4=SubRip, 5=SubViewer 2.0, 6=SubViewer, 7=MPSub, 8=Advanced SSA, 9=DVDSubtitle, 10=TMPlayer, 11=MPlayer2

mpv doesn't have this problem

does mpv even have a subtitle parser?

RTFM
mpv.io/manual/master/

yes you stupid nigger

>viruses hidden in subtitles
But there's no virus in the subtitles. It's just a fuckup in the parsing that allows commands to be executed on the system which is used to initiate an RPC in the demonstrations.

>But there's no virus in the subtitles
you're being a stupid nigger right now.
the virus is a payload inside the subtitle file

This affects vlc when parsing font tags on srt.
It tries to find the corresponding > without checking for the end of the string.

I don't know how they go from this to remote code execution, but that's all that's been patched on vlc 2.2.5.

how to avoid these problems?

Stop using vlc.

No.
If anything the subtitles file itself is the virus. But it's not really because it doesn't infect the system.

The exploit can be used to deliver a virus payload to the target machine but it isn't contained within the subtitle file.

Don't use shitty players. Don't download subtitle files. Only download videos from reputable sources with the subtitles already embedded.

>I don't know how they go from this to remote code execution
Because it doesn't sanitize the parsing they're able to execute a system application instead of a targeting a local font file so they use it to start an RPC which connects to their controller PC.

>Don't download subtitle files. Only download videos from reputable sources with the subtitles already embedded.

but i pirate alot

So?
There are reputable groups.

If you have your hands on a poc please share it.
All I know is from the patch they made.

Also, if it was a bug reading a font file, it wouldn't really be vlc's fault.

>autist screaming
just update to the latest version, big fucking deal

yep, exploits your video player.

VLC is just a little bit too common.

Yes goy, keep updating.

UPDATE VLC NOW, SECURITY UPDATE DUE TO OP'S EXPLOIT

.srt is a plain text file,
how is the virus encpded in it?
ctrl-characters or html tags?

I wonder if unicode would translate to executable code easier?

For clarity you're wondering how every bit sequence in a binary executable stream could be represented in a simple text file right?

I didn't realize it would only show letters and numbers, lots of ctrl+ characters when you open a binary as a text file.

Well to be fully honest here it isn't a single exploit.
All four players were exploited in different ways but all through a subtitles file.

But by watching the PoC video it is pretty clear that it isn't a binary blob or anything embedded in the subtitle file. They exploited problems in the way the players parsed the subtitle files to run system commands, in this case they probably used it to run mstsc to connect to their Linux machine.

You can't force a file being plain text only, it can have anything in it.
All you need now is a way to make the video player jump to the payload after the file is read to memory.

The video shows that the video player opens a connection to the attacker's computer to download a payload, this new payload is the one that creates the remote desktop session.

>hearing the audio of a Video

>not paying the creators of the Video to reenact it live for you

Fucking hackers GET OUT OF MY ANIME

Should we stop using mpv too?

STOP! DONT FUCK UP MY PC

> Not getting the script and reinacting it yourselft

>MPC not affected
Not a problem.

You don't even seem to know what an exe is and what is pattern detection/heuristic in scanning files.

Whatever computer illiterate hole you're coming from, go back, please.