Sonarr: Adjust DetectSample error to warn about malicious executable video files

Created on 9 Oct 2019 · 11Comments · Source: Sonarr/Sonarr

Describe the bug
When Sonarr (latest v2 release) processes HEVC/h265 files, it doesn't automatically move the files. Instead, the files need "manual import".

If mediainfo is run against the file, I get the following:

/ # mediainfo --full /downloads/sonarr/downloaded-episode.mkv
General
Count                                    : 332
Count of stream of this kind             : 1
Kind of stream                           : General
Kind of stream                           : General
Stream identifier                        : 0
Complete name                            : /downloads/sonarr/downloaded-episode.mkv
Folder name                              : /downloads/sonarr
File name extension                      : downloaded-episode.mkv
File name                                : downloaded-episode
File extension                           : mkv
Format                                   : MZ
Format                                   : MZ
Format/Extensions usually used           : exe dll
Commercial name                          : MZ
Format profile                           : Executable / AMD x86-64
File size                                : 204765846
File size                                : 195 MiB
File size                                : 195 MiB
File size                                : 195 MiB
File size                                : 195 MiB
File size                                : 195.3 MiB
Stream size                              : 204765846
Stream size                              : 195 MiB (100%)
Stream size                              : 195 MiB
Stream size                              : 195 MiB
Stream size                              : 195 MiB
Stream size                              : 195.3 MiB
Stream size                              : 195 MiB (100%)
Proportion of this stream                : 1.00000
Encoded date                             : UTC 2019-04-27 20:03:30
File last modification date              : UTC 2019-08-08 00:05:23
File last modification date (local)      : 2019-08-08 00:05:23
FileExtension_Invalid                    : exe dll

Logs
Link to debug or trace log files.

2019-10-09 21:02:08.294907500  [sonarr] [Error] DetectSample: [/downloads/sonarr/downloaded-episode.mkv] has a runtime of 0, is it a valid video file?

System Information

Problem exists in the linuxserver/sonarr container

I thought that the problem may have been with the version of MediaInfoLib in the linuxserver/sonarr container.

I built Sonarr manually with the latest version of MediaInfoLib (v19.09), however the problem still seems to exist.

Thanks.

enhancement

Source

mikenye

All 11 comments

Also, it's worth noting that this problem also seems to exist in Sonarr v3 as well (in the linuxserver/sonarr:preview image).

[Info] Bootstrap: Starting Sonarr - /usr/lib/sonarr/bin/Sonarr.exe - Version 3.0.3.644 
....
[Error] DetectSample: [/downloads/sonarr/downloaded-episode.mkv] has a runtime of 0, is it a valid video file?

mikenye on 9 Oct 2019

Your media info output does not show a duration, which is all Sonarr cares about for that check.

It looks like the linuxserver docker container is already using libmediainfo 19.09:

https://github.com/linuxserver/docker-sonarr/blob/5889262679b94f1971c47ba5dc9934037e72c5b3/package_versions.txt#L109

Looks like libmediainfo will need to be updated to handle those files.

markus101 on 9 Oct 2019

👍1

Format                                   : MZ
Format                                   : MZ
Format/Extensions usually used           : exe dll
Commercial name                          : MZ
Format profile                           : Executable / AMD x86-64

Mediainfo detects that it's an executable, you'll have to check whether that's correct. If it's not an executable then you likely have to report an issue to mediainfo.

Taloth on 9 Oct 2019

👍1

Thanks for your help! I'd not used mediainfo before. I'll raise an issue on their github. Would you like me to close this bug out or did you want to leave it open while the MediaInfo issue is open?

mikenye on 10 Oct 2019

We close the issue coz there's nothing actionable for us given that the mediainfo cmdline gives the same results.

You confirmed the file is really a playable video?

Taloth on 10 Oct 2019

You confirmed the file is really a playable video?

I'm an idiot.

So there looks to be some new attack vector. Running "file" over the video file gives this:

PE32+ executable (GUI) x86-64, for MS Windows

I wonder if an enhancement to Sonarr might be to use libmagic or file after the file has been downloaded but before it is renamed/moved. If the video/subtitle files contain executable the download is blacklisted.

Thoughts?

mikenye on 15 Oct 2019

For enyone reading this that is also in the same boat, adding a delay profile (~12 hours) to Sonarr seems to reduce the likelihood of the problem occurring.

mikenye on 15 Oct 2019

The real problem is probably having a crappy indexer. :smile: Coz most decent indexers would filter out junk like this easily.

@markus101 We could probably update the SampleCheck to spit out 'video is likely a malicious executable' warning, although this is the first time I ever saw this. What do you think?

Taloth on 15 Oct 2019

I'd be good with logging a better message if when we can, but also the first time I've seen an executable as a movie like this.

markus101 on 15 Oct 2019

I've been doing a bit more research into this, and it appears the malicious files are crafted to exploit CVE-2019-13615, a vulnerability with certain versions of libebml (used in VLC).

The vulnerability allows for RCE (remote code execution) which potentially allows bad actors to install, modify, or run software without authorisation and could also be used to disclose files on the host system.

mikenye on 16 Oct 2019

👍1

Quite the investigator. That makes sense.

Taloth on 16 Oct 2019

😄1

Was this page helpful?

0 / 5 - 0 ratings