Pierluigi Paganini March 02, 2015

A British hacker has found two Blu-Ray-borne attacks that could be run to infect machines, a technique that remind the method used by the Equation Group.

Security expert Stephen Tomkinson from NCC Group has discovered a couple of vulnerabilities in the software used to play Blu-ray discs. The exploitation of the flaw could be used to implant a malware in the machine using the vulnerable devices.

Tomkinson engineered a Blu-ray disc which detects could be used to run two Blu-Ray attacks, the disc could be used to discover the type of player it is running on use one of the exploit developed by the hacker to serve a malware on the host. Tomkinson presented his Blu-Ray attacks at the Securi-Tay conference at Abertay University in Scotland on Friday.

One of his exploits relies on a poor Java implementation in a product called PowerDVD from CyberLink that is used to playing DVDs on PCs and creates rich content (i.e. menus, games) using a variant of Java, the Blu-ray Disc Java (BD-J). PowerDVD is installed by default on Windows computers commercialized by many vendors, including Acer, ASUS, Dell, HP, Lenovo and Toshiba.

Basically, the researcher succeeded to put executables onto Blu-Ray disks and to make those disks run automatically on startup even when the autorun feature is disabled by default.

The Blu-ray Disc Java uses small applications called “xlets”to implement the interfaces, despite they are prohibited from accessing computer resources a flaw in PowerDVD allows to bypass the sandbox to run malicious code.

“By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player it’s being played on and launch a platform specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion. These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.” states the researcher in a blog post.

The second flaw affects some Blu-ray disc player hardware, the exploitation of the attack relies on an exploit written by Malcolm Stagg that allows an attacker the opportunity to get root access on a Blu-ray player.

“This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment,” explained Tomkinson.

Tomkinson wrote an xlet that exploited a small client application called “ipcc” running on the targeted machine to launch a malicious file from the Blu-ray disc.

The researcher also proposed some improvements to his attacks, like the implementation of a technique to identify the system host to launch the appropriate exploit and in order to hide the activity, the Blu-ray disc engineered by the expert will start playing the legitimate content after the execution of the malicious code.

The attacks proposed in this post remind us a technique of attack exploited by the Equation Group APT to compromise the machine of some participants of a scientific conference held in Houston. The participant received a CD-ROM containing the material of the conference, and some zero-day exploits including a high sophisticated backdoor codenamed Doublefantasy.

NCC Group has contacted the vendors to fix the issue but is still waiting for a reply.

Pierluigi Paganini

(Security Affairs –  Hackers, cyber security)