Categories: Breaking NewsHacking

How to serve malware by exploiting Blu-ray disc attacks

A British hacker has found two Blu-Ray-borne attacks that could be run to infect machines, a technique that remind the method used by the Equation Group.

Security expert Stephen Tomkinson from NCC Group has discovered a couple of vulnerabilities in the software used to play Blu-ray discs. The exploitation of the flaw could be used to implant a malware in the machine using the vulnerable devices.

Tomkinson engineered a Blu-ray disc which detects could be used to run two Blu-Ray attacks, the disc could be used to discover the type of player it is running on use one of the exploit developed by the hacker to serve a malware on the host. Tomkinson presented his Blu-Ray attacks at the Securi-Tay conference at Abertay University in Scotland on Friday.

One of his exploits relies on a poor Java implementation in a product called PowerDVD from CyberLink that is used to playing DVDs on PCs and creates rich content (i.e. menus, games) using a variant of Java, the Blu-ray Disc Java (BD-J). PowerDVD is installed by default on Windows computers commercialized by many vendors, including Acer, ASUS, Dell, HP, Lenovo and Toshiba.

Basically, the researcher succeeded to put executables onto Blu-Ray disks and to make those disks run automatically on startup even when the autorun feature is disabled by default.

The Blu-ray Disc Java uses small applications called “xlets”to implement the interfaces, despite they are prohibited from accessing computer resources a flaw in PowerDVD allows to bypass the sandbox to run malicious code.

“By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player it’s being played on and launch a platform specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion. These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.” states the researcher in a blog post.

The second flaw affects some Blu-ray disc player hardware, the exploitation of the attack relies on an exploit written by Malcolm Stagg that allows an attacker the opportunity to get root access on a Blu-ray player.

“This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment,” explained Tomkinson.

Tomkinson wrote an xlet that exploited a small client application called “ipcc” running on the targeted machine to launch a malicious file from the Blu-ray disc.

The researcher also proposed some improvements to his attacks, like the implementation of a technique to identify the system host to launch the appropriate exploit and in order to hide the activity, the Blu-ray disc engineered by the expert will start playing the legitimate content after the execution of the malicious code.

The attacks proposed in this post remind us a technique of attack exploited by the Equation Group APT to compromise the machine of some participants of a scientific conference held in Houston. The participant received a CD-ROM containing the material of the conference, and some zero-day exploits including a high sophisticated backdoor codenamed Doublefantasy.

NCC Group has contacted the vendors to fix the issue but is still waiting for a reply.

Pierluigi Paganini

(Security Affairs –  Hackers, cyber security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

4 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

22 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.