How to serve malware by exploiting Blu-ray disc attacks

A British hacker has found two Blu-Ray-borne attacks that could be run to infect machines, a technique that remind the method used by the Equation Group.

Security expert Stephen Tomkinson from NCC Group has discovered a couple of vulnerabilities in the software used to play Blu-ray discs. The exploitation of the flaw could be used to implant a malware in the machine using the vulnerable devices.

Tomkinson engineered a Blu-ray disc which detects could be used to run two Blu-Ray attacks, the disc could be used to discover the type of player it is running on use one of the exploit developed by the hacker to serve a malware on the host. Tomkinson presented his Blu-Ray attacks at the Securi-Tay conference at Abertay University in Scotland on Friday.

One of his exploits relies on a poor Java implementation in a product called PowerDVD from CyberLink that is used for play DVDs on PCs and creates rich content (i.e. menus, games) using a variant of Java, the Blu-ray Disc Java (BD-J). PowerDVD is installed by default on Windows computers commercialized by many vendors, including Acer, ASUS, Dell, HP, Lenovo and Toshiba.

Basically, the researcher succeeded to put executables onto Blu-Ray disks and to make those disks run automatically on startup even when the autorun feature is disabled by default.

The Blu-ray Disc Java uses small applications called “xlets”to implement the interfaces, despite they are prohibited from accessing computer resources a flaw in PowerDVD allows to bypass the sandbox to run malicious code.

“By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player it’s being played on and launch a platform specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion. These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.” states the researcher in a blog post.

The second flaw affects some Blu-ray disc player hardware, the exploitation of the attack relies on an exploit written by Malcolm Stagg that allows an attacker the opportunity to get root access on a Blu-ray player.

“This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment,” explained Tomkinson.

Tomkinson wrote an xlet that exploited a small client application called “ipcc” running on the targeted machine to launch a malicious file from the Blu-ray disc.

b1

The researcher also proposed some improvements to his attacks, like the implementation of a technique to identify the system host to launch the appropriate exploit and in order to hide the activity, the Blu-ray disc engineered by the expert will start playing the legitimate content after the execution of the malicious code.

The attacks proposed in this post remind us a technique of attack exploited by the Equation Group APT to compromise the machine of some participants of a scientific conference held in Houston. The participant received a CD-ROM containing the material of the conference, and some zero-day exploits including a high sophisticated backdoor codenamed Doublefantasy.

NCC Group has contacted the vendors to fix the issue but is still waiting for a reply.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW