14 DAY TRIAL // Security flaws in both software and hardware Blu-ray players can allow a threat actor to gain a foothold on an internal network and compromise machines to exfiltrate sensitive information.
Security researchers at NCC Group managed to exploit different vulnerabilities in Blu-ray players and created a disc that can run platform-specific rogue executables before the media content is played.
Abusing Blu-ray player software
Security researcher Stephen Tomkinson demonstrated how a malicious Blu-ray disc can be created by taking advantage of poorly implemented Java, allowing a sandbox escape and executing arbitrary code automatically, bypassing the auto-run prevention mechanism in Windows.
Tomkinson used Cyberlink’s PowerDVD as an example, saying that the application’s security mechanisms have gone through little modifications since the implementation of Blu-ray support in 2009.
The developer uses its own SecurityManager to limit the functionality of an Xlet, a Java-based application containing the disc’s dynamic menus and embedded content that is run in a Java Virtual Machine.
“PowerDVD comes with a range of additional Java classes which provide functionality internal to the player, but which are still callable by Xlets on the disc. One of these is the CUtil class which provides access to functions implemented in native code which fall outside of the SecurityManager’s control,” Tomkinson writes in a blog post.
By abusing these functions, the researchers were able to create instructions that read the arbitrary code they placed on the disc.
Exploiting glitches in physical Blu-ray player
The second vulnerability exploited was in a physical Blu-ray player and was based on previous work of Malcom Stagg, whose project permits modification of the Sony Blu-ray BDP firmware in order to remove anti-piracy technology Cinavia.
However, the hack was achievable by launching a library from a USB drive plugged into the device and the web browser, which is not easy to trick the victim to do.
Alternatively, Tomkinson relied on the embedded Linux system to provide a path onto the target’s network; using the Xlets on the disc, it is possible to access the “net inf” and “ipc” daemons, which have client applications on the player. As such, an “execute” function is available and it could be used to run a command.
The exploit consists in dumping the TCP stream for a valid execute request of something already present on the disc, from the IPC client application. Then, an Xlet can be written to replay the same byte to the daemon and thus execute the arbitrary code on the disc.
Tomkinson says that the exploits for both the software and the physical Blu-ray players can be embedded on the media disc and launched selectively, after determining the context the disc is played in. Quashing suspicion of malicious activity is achieved by starting the video.
In order to mitigate the risk, the researcher recommends users not to play Blu-ray discs from unknown sources and disable the AutoPlay functionality in Windows.
Additionally, cutting the physical player’s access to the network would stifle exploitation; this can be done from the device’s settings menu.