>Doesn't need to be an .exe
>just the text file
>Antivirus cannot scan it
>Doesn't need to be an .exe
>just the text file
>Antivirus cannot scan it
Other urls found in this thread:
matroska.org
en.wikipedia.org
mpv.io
twitter.com
Hola, reddit.
>no source other than some retarded headline
why would i post source you nigger, I thought you faggots didn't like giving clicks
>le anti-piracy shilling
go away, redditor.
post it on archive and then post the link, nigger
>I like reading books but I hate buying them from the book store
>sends a book cover
>I can't read this, this is just a cover
>Wtf user I though you didn't like buying books
Pastebin the actual article content, you fucking troglodyte.
>not watching raws
>why would I post source you nigger
It is true but it is only in shitty turrent stream apps like popcorn time that dont use srt.
Subtitle files are parsed by the players, and can execute remarkably complex visual effects.
It's not entirely surprising that this is possible, nor that it was overlooked.
already fixed with Kodi 17.3 don't forget to update
probably libreelec release is on the way too but can't say anything about openelec fags
> He doesn't learn the native language of a video
Fucking plebs
Also VLC 2.2.5.1. It's an exploit in an ancient Amiga subtitle format (JACOsub), which can be embedded only in Ogg containers, but not MKV or MP4.
matroska.org
Watch out for rogue .jss subtitle files.
Nevermind, LibreElec updated it just today
no update on Openelec tho
what the fuck, so srt files can fuck my computer up now?
Windows on its own has like 50 different executable file types, fonts and their ilk have been repeat offenders over the decades too.
Either archive link or pastebin
>update
>mfw Media Player Classic
SubRip files for example can contain simple, unstandardized HTML-like formatting codes. If you fuck up parsing those correctly, you can take over a media player.
en.wikipedia.org
MPC doesn't even support that format, you're fine.
//Subtitles Format: 0=all, 1=MicroDVD, 2=SAMI, 3=SSA, 4=SubRip, 5=SubViewer 2.0, 6=SubViewer, 7=MPSub, 8=Advanced SSA, 9=DVDSubtitle, 10=TMPlayer, 11=MPlayer2
mpv doesn't have this problem
does mpv even have a subtitle parser?
yes you stupid nigger
>viruses hidden in subtitles
But there's no virus in the subtitles. It's just a fuckup in the parsing that allows commands to be executed on the system which is used to initiate an RPC in the demonstrations.
>But there's no virus in the subtitles
you're being a stupid nigger right now.
the virus is a payload inside the subtitle file
This affects vlc when parsing font tags on srt.
It tries to find the corresponding > without checking for the end of the string.
I don't know how they go from this to remote code execution, but that's all that's been patched on vlc 2.2.5.
how to avoid these problems?
Stop using vlc.
No.
If anything the subtitles file itself is the virus. But it's not really because it doesn't infect the system.
The exploit can be used to deliver a virus payload to the target machine but it isn't contained within the subtitle file.
Don't use shitty players. Don't download subtitle files. Only download videos from reputable sources with the subtitles already embedded.
>I don't know how they go from this to remote code execution
Because it doesn't sanitize the parsing they're able to execute a system application instead of a targeting a local font file so they use it to start an RPC which connects to their controller PC.
>Don't download subtitle files. Only download videos from reputable sources with the subtitles already embedded.
but i pirate alot
So?
There are reputable groups.
If you have your hands on a poc please share it.
All I know is from the patch they made.
Also, if it was a bug reading a font file, it wouldn't really be vlc's fault.
>autist screaming
just update to the latest version, big fucking deal
yep, exploits your video player.
VLC is just a little bit too common.
Yes goy, keep updating.
UPDATE VLC NOW, SECURITY UPDATE DUE TO OP'S EXPLOIT
.srt is a plain text file,
how is the virus encpded in it?
ctrl-characters or html tags?
I wonder if unicode would translate to executable code easier?
For clarity you're wondering how every bit sequence in a binary executable stream could be represented in a simple text file right?
I didn't realize it would only show letters and numbers, lots of ctrl+ characters when you open a binary as a text file.
Well to be fully honest here it isn't a single exploit.
All four players were exploited in different ways but all through a subtitles file.
But by watching the PoC video it is pretty clear that it isn't a binary blob or anything embedded in the subtitle file. They exploited problems in the way the players parsed the subtitle files to run system commands, in this case they probably used it to run mstsc to connect to their Linux machine.
You can't force a file being plain text only, it can have anything in it.
All you need now is a way to make the video player jump to the payload after the file is read to memory.
The video shows that the video player opens a connection to the attacker's computer to download a payload, this new payload is the one that creates the remote desktop session.
>hearing the audio of a Video
>not paying the creators of the Video to reenact it live for you
Fucking hackers GET OUT OF MY ANIME
Should we stop using mpv too?
STOP! DONT FUCK UP MY PC
> Not getting the script and reinacting it yourselft
>MPC not affected
Not a problem.
You don't even seem to know what an exe is and what is pattern detection/heuristic in scanning files.
Whatever computer illiterate hole you're coming from, go back, please.