Unsuspected Blu-Ray Players Vulnerabilities Present Open passage to Cybercriminals.
A team of security researchers at NCC Group analyzed different Blu-ray players and found numerous exploitable vulnerabilities in them.
Security researchers created a disc for running platform-specific fake executable prior to playing the required media content and they were able to exploit the vulnerabilities of the players.
Vulnerabilities in Blu-ray Player software
Stephen Tomkinson, one of the researchers, revealed how easily a compromised Blu-ray disc can be developed by utilizing poorly implemented Java, which allows a sandbox escape and executes arbitrary code spontaneously. Thus, it was quite possible to bypass the auto-run prevention process in Windows.
The team used Cyberlink’s Power DVD as a sample of their findings and stated that the application’s security procedure has gone through minimal modifications since Blu-ray support was implemented in 2009.
To limit the operations of Xlet, a Java-based application, the developer uses its personal Security Manager. Xlet contains dynamic menus of the disc and embedded content that can be run in a Java Virtual Machine.
In a blog post Tomkinson wrote: “PowerDVD comes with a range of additional Java classes which provide functionality internal to the player, but which are still callable by Xlets on the disc. One of these is the CUtil class which provides access to functions implemented in native code which fall outside of the SecurityManager’s control.”
By exploiting these operations, research team was able to develop instructions that read the arbitrary code the team placed on the disc.
Abusing hitches in a Physical Blu-ray player
A vulnerability that was observed by the team was that Physical Blu-ray players utilized previous work of Malcom Stagg. His project permitted modifications in the Sony Blu-ray BDP firmware so that the anti-piracy technology Cinavia gets removed.
Nonetheless, the exploit was doable by launching a library via a USB drive. The drive can be plugged into the device and web browser.
Otherwise, Tomkinson trusted the embedded Linux system to offer a path towards the targeted network and utilizing the Xlets present on the disc, it became possible to access the “ipc” and “net inf” daemons. These run the client applications on the Blu-ray player like it has an “execute” function that can be used to run a command.
According to Tomkinson, the exploits for both the Physical Blu-ray and the software of the players can be implanted on the media disc and it is also possible to launch them selectively. This can be done after deciding about the context the disc is required to be played in. Suppressing incidence of malicious activity is performed by starting the video.
To minimize the associated risks, Tomkinson advises users to no play Blu-ray discs from unverified sources and deactivate the AutoPlay function in Windows.
Moreover, reducing the physical player’s network access will stifle exploitation and this can be achieved by exploring the device’s Setting Menu. Follow @HackRead