Pwned in Translation - from Subtitles to RCE presented at syscan 2017

by Omri Herscovici, Omer Gull,

Summary : ABSTRACT
What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you? And he might be doing so - using subtitles.
Yes, subtitles, those innocent looking text lines at the bottom of your screen.
Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered.
You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is usually no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players.
What can go wrong?
Well, basically - everything.
We will pioneer the uncharted subtitles attack vector and demonstrate its disastrous potential, and unravel the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; files being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime.
It seems there is no limit to what can be achieved by using these supposedly minor text files.
But wait, the plot thickens. Our presentation will delve even further into the subtitle supply chain. Some media players download subtitles automatically from shared online repositories (such as OpenSubtitles) where they are indexed and ranked.
By manipulating the website's ranking algorithm, we were able to guarantee our crafted malicious subtitles would be the ones downloaded by the video player, allowing us to take complete control over the entire subtitle supply chain - Look ma, no MITM or user interaction.
Do you like scary movies?