Translation is black - from the subtitle file to control the entire computer

  • arcko 

Check Point researchers revealed a new attack vector,Threat to millions of users worldwide – By attacks subtitles。通过制作受害者媒体播放器下载的恶意字幕文件攻击者可以通过许多流行的流媒体平台(包括VLCKodi(XBMC)Popcorn-Time和中发现的漏洞完全控制任何类型的设备。 。我们估计目前有大约2亿视频播放器和拖缆运行易受攻击的软件这是近年来最广泛易于访问和零抵抗的漏洞之一




执行者使用各种方法,Also known as "attack vectors" to provide network attacks。These attack vectors can be divided into two categories:Attacker to convince a user to visit a malicious Web site,Or he deceived his run malicious files on his computer。
Our study revealed a possible new attack vector,Use of technology is completely ignored,When the user's media player loads Movie subtitles,Cyber ​​attacks will be passed。These subtitles repository is regarded as a trusted source in practice users or media player; Our research also shows,These repositories can be manipulated,And was awarded the attacker's malicious subtitles scores,This leads to specific captions provided to the user。This method is for users with little or no deliberate action,Making it more dangerous。
Unlike traditional attack vector,What security companies and users widely recognized,Movie subtitles are considered nothing more than a benign text file。This means that users,Anti-virus software and other security solutions can be reviewed,Without having to assess its true nature,从而使数百万用户面临这种风险







范围受影响的用户总数达数亿每个发现易受伤害的媒体播放器都有数百万用户我们认为其他媒体播放器也可能会受到类似的攻击VLC已于2016年6月5日发布了其最新版本的1.7亿多次下载.Kodi(XBMC)每天拥有超过1000万个独特用户,With nearly 40 million monthly unique users。Currently there is no estimate on popcorn time usage,But you can rest assured that,This figure is also the millions。

damage: By attacking subtitles,Hackers complete control of their operation of any equipment。从这一点上来说无论是PC智能电视还是移动设备攻击者都可以与受害者的机器做任何事情攻击者可能造成的潜在破坏是无休止的从窃取敏感信息安装赎金大规模拒绝服务攻击等等到任何地方



迄今为止,We tested and found the four most famous media player names vulnerabilities:VLC,Code,Popcorn time and Stremio。We have reason to believe that other media players are also similar vulnerability。We follow responsible disclosure guidelines,And fragile media player developers of all reported vulnerabilities and loopholes。Some of these issues have been resolved,Among other issues still under investigation。To give developers more time to address these vulnerabilities,We decided not to release more technical details。

Platform Update:



  • 爆米花时间字幕远程执行代码
  • Kodi打开字幕Addon远程执行代码
  • VLC ParseJSS Null跳过字幕远程执行代码
  • Stremio字幕远程执行代码



进一步深入字幕供应链产生了一些有趣的结果有许多共享的在线存储库如OpenSubtitles.org用于索引和排列电影字幕一些媒体播放器自动下载字幕; 这些存储库对攻击者具有广泛的潜力我们的研究人员也可以通过操纵网站的排名算法来表明我们可以保证制作的恶意字幕是由媒体播放器自动下载的字幕从而允许黑客对整个字幕供应链进行完全控制而不需要使用一个人在中间攻击或需要用户交互此漏洞还会影响使用这些排名的用户来决定手动下载哪些字幕





Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.