U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

How to serve malware by exploiting Blu-ray disc attacks

A British hacker has found two Blu-Ray-borne attacks that could be run to infect machines, a technique that remind the method used by the Equation Group. Security expert Stephen Tomkinson from NCC Group has discovered a couple of vulnerabilities in the software used to play Blu-ray discs. The exploitation of the flaw could be used to implant […]

How to serve malware by exploiting Blu-ray disc attacks

The new LG model BH100 dubbed ”Super Multi Blue” player which will play discs in the Blu-ray and HD DVD format, is shown during a news conference Sunday, Jan. 7, 2007 at the International Consumer Electronics Show in Las Vegas. (AP Photo/Las Vegas Review Journal, John Gurzinski) ** MAGS OUT, NO SALES **

A British hacker has found two Blu-Ray-borne attacks that could be run to infect machines, a technique that remind the method used by the Equation Group.

Security expert Stephen Tomkinson from NCC Group has discovered a couple of vulnerabilities in the software used to play Blu-ray discs. The exploitation of the flaw could be used to implant a malware in the machine using the vulnerable devices.

Tomkinson engineered a Blu-ray disc which detects could be used to run two Blu-Ray attacks, the disc could be used to discover the type of player it is running on use one of the exploit developed by the hacker to serve a malware on the host. Tomkinson presented his Blu-Ray attacks at the Securi-Tay conference at Abertay University in Scotland on Friday.

One of his exploits relies on a poor Java implementation in a product called PowerDVD from CyberLink that is used to playing DVDs on PCs and creates rich content (i.e. menus, games) using a variant of Java, the Blu-ray Disc Java (BD-J). PowerDVD is installed by default on Windows computers commercialized by many vendors, including Acer, ASUS, Dell, HP, Lenovo and Toshiba.

Basically, the researcher succeeded to put executables onto Blu-Ray disks and to make those disks run automatically on startup even when the autorun feature is disabled by default.

The Blu-ray Disc Java uses small applications called “xlets”to implement the interfaces, despite they are prohibited from accessing computer resources a flaw in PowerDVD allows to bypass the sandbox to run malicious code.

“By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player it’s being played on and launch a platform specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion. These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.” states the researcher in a blog post.

The second flaw affects some Blu-ray disc player hardware, the exploitation of the attack relies on an exploit written by Malcolm Stagg that allows an attacker the opportunity to get root access on a Blu-ray player.

“This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment,” explained Tomkinson.

Tomkinson wrote an xlet that exploited a small client application called “ipcc” running on the targeted machine to launch a malicious file from the Blu-ray disc.

Abusing Blu-ray Players Pt. 1 – Sandbox Escapes   NCC Group

The researcher also proposed some improvements to his attacks, like the implementation of a technique to identify the system host to launch the appropriate exploit and in order to hide the activity, the Blu-ray disc engineered by the expert will start playing the legitimate content after the execution of the malicious code.

The attacks proposed in this post remind us a technique of attack exploited by the Equation Group APT to compromise the machine of some participants of a scientific conference held in Houston. The participant received a CD-ROM containing the material of the conference, and some zero-day exploits including a high sophisticated backdoor codenamed Doublefantasy.

NCC Group has contacted the vendors to fix the issue but is still waiting for a reply.

Pierluigi Paganini

(Security Affairs –  Hackers, cyber security)