Blu-Ray Player vulnerability allows hackers to compromise machines and steal dataVulnerability 1 – Windows – Cyberlink PowerDVDVulnerability 2 – Physical Blu-ray Players
The flaws was discovered by British hacker Stephen Tomkinson who presented the vulnerability on NCC Blog.
Vulnerability 1 – Windows – Cyberlink PowerDVD
The first vulnerability demonstrated by Tomkinson shows how a potential hacker can create a malicious Blu-ray disc by taking advantage of poorly implemented Java. The malicious disc can execute arbitrary codes automatically and also bypass the auto-run prevention mechanism in Windows. To show his vulnerability, Tomkinson used the popular Cyberlink’s PowerDVD software. Tomkinson says that Cyberlink’s PowerDVD supports Blu-ray since 2009 but has hardly updated security mechanisms since then. PowerDVD comes with a range of additional Java classes which provide functionality internal to the player, but which are still callable by Xlets on the disc. One of these is the CUtil class which provides access to functions implemented in native code which fall outside of the SecurityManager’s control. These functions allow the player to obtain the current licence details, the ability to pop-up windows confirmation dialogs and most usefully for us an ability to read arbitrary files from the disc. Additionally Cyberlink have written their own SecurityManager App for limiting the functionality of an Xlet, a Java-based application containing the disc’s dynamic menus and embedded content that is run in a Java Virtual Machine. “PowerDVD comes with a range of additional Java classes which provide functionality internal to the player, but which are still callable by Xlets on the disc. One of these is the CUtil class which provides access to functions implemented in native code which fall outside of the SecurityManager’s control,” Tomkinson stated on the blog post. Tomkinson used or rather abused these functions and created instructions that read the arbitrary code once they were placed on the disc. Once the Blu-ray disc was put in the PC, it could run the executable without even running the content and bypassing the auto-play trigger in Windows OS.
Vulnerability 2 – Physical Blu-ray Players
While the first vulnerability was in the software part of the the Blue-ray, the second vulnerability presented by Tomkinson and associates exploited a physical Blu-ray player vulnerability. This vulnerability was based on previous research by Malcom Stagg, whose project permits modification of the Sony Blu-ray BDP firmware in order to remove anti-piracy technology Cinavia. Tomkinson achieved the hack by launching a library from a USB drive plugged into the device and the web browser based on Stagg’s work. Tomkinson relied on the embedded Linux system to provide a path onto the target’s network; using the Xlets on the disc, it is possible to access the “net inf” and “ipc” daemons, which have client applications on the player. As such, an “execute” function is available and it could be used to run a command. The exploit consists in dumping the TCP stream for a valid execute request of something already present on the disc, from the IPC client application. Then, an Xlet can be written to replay the same byte to the daemon and thus execute the arbitrary code on the disc. Tomkinson says that the exploits for both the software and the physical Blu-ray players can be embedded on the Blu-ray without the knowledge of the potential victim and launched selectively. There is no patch for these vulnerabilities as of now so Tomkinson recommends users not to play Blu-ray discs from unknown sources and disable the AutoPlay functionality in Windows.