[mortael]

Replacing this line in the Opensubtitles addon: https://github.com/opensubtitles/service...ice.py#L96

To something like this (maybe someone can improve this), should work.

Code:

import zipfile, re
zin = zipfile.ZipFile(zip,  'r')
for item in zin.infolist():
    if re.search(r"((^|/|\\)\.{2}($|/|\\))", item.filename, re.IGNORECASE | re.MULTILINE):
        continue
    else:
        zin.extract(item, __temp__)

[Crssi]

See here Hacked in Translation – from Subtitles to Complete Takeover

This is some scary sh... are there any urgent plans to patch it and which versions of Kodi will receive the patch?

Cheers

[peppe_sr]

17.2 already cover this problem

[birdwatcher]

Is there anything you can look for in a subtitle file to tell if it is infected?

I understand that if you let Kodi automatically download subtitles, that's a problem. From what I am reading in this thread, we'd be safe if we unzipped the subtitles outside of Kodi and then manually moved them? Or is there something malicious in the subtitle text file itself? If so, are there specific characters that could be stripped out? If there is any potential harm in the actual subtitles files, is there any kind of "scrubber" program that could be used to clean up subtitle files, or let you know they are bad and delete them before they can do any damage?

From the video it appears this thing allows the attacker to VNC in. Is there a way to block it from making a connection using a firewall, or some other program?

I would like to know if any of the subtitle repositories (such as Open Subtitles) taking any proactive steps to delist bad subtitles. If not, they should!

One thing you must realize is there are many systems that are not and maybe cannot immediately run the latest version of Kodi. Personally I am still running Isengard because EVERY newer version has broken something I use (in Krypton it's passthru audio in Live TV). Kodi has been saying for some time now that you are never forced to upgrade to a newer version, but doesn't leaving older versions vulnerable kind of have the same effect? Could the Kodi subtitles addons be modified to check for "bad" subtitle files? I ask that because the addons can usually be installed in older versions (up to a point).

I'd really like to find a solution that works system-wide. For example, if the exploit depends on VNC, is there a way to restrict VNC connections to my local network only (this would be on a Ubuntu Linux 14.04 system)? Or to totally disable VNC except when I need to use it locally?

The whole problem with the warning appearing in most of the articles is that it gives just enough information to scare the hell out of anyone that has ever used subtitles or that occasionally needs them, without really giving any information on how to prevent infection or remove any infection already present.

My personal feeling is that at the very least, Kodi should immediately issue replacements to subtitle addons that either proactively prevent bad subtitle files from being allowed to do anything malicious, of failing that they should do absolutely noting except display a warning against using such an addon, until there is some way to make the addon distinguish between an infected subtitle and a normal one. That would be one fast way to slow this down because (maybe contrary to the delusions of certain Kodi developers) most Kodi users probably aren't all that computer-savvy, and many are running older versions, and a fair percentage probably neither read the type of sites that contain such warnings nor would have the foggiest idea how to upgrade Kodi (or might not want to for one reason or another). At least if the subtitles addons were updated to prevent downloading any malicious subtitles (even if that means downloading NO subtitles at all until a prophylactic can be developed) it would help slow the infection.

[oldtvwatcher]

Replacing this line in the Opensubtitles addon: https://github.com/opensubtitles/service...ice.py#L96

To something like this (maybe someone can improve this), should work.

Code:

import zipfile, re
zin = zipfile.ZipFile(zip,  'r')
for item in zin.infolist():
    if re.search(r"((^|/|\\)\.{2}($|/|\\))", item.filename, re.IGNORECASE | re.MULTILINE):
        continue
    else:
        zin.extract(item, __temp__)

I have no idea how you'd do this in an existing system but if this works, could you guys PLEASE update the OpenSubtitles addon to include it?

[User 325245]

I have no idea how you'd do this in an existing system but if this works, could you guys PLEASE update the OpenSubtitles addon to include it?

In existing system? What does that mean? It is pretty simple actually, the regex only checks for /../ or \..\ in zip path name (which is level up) and if it's there, doesn't extract it....

All subtitle providers / addon authors should check for this and correct it in their addons....

[bry]

@birdwatcher please update and adress said issues here on the forum. In their own separate thread with debug logs.

[bobrooney]

OpenSubtitles.org made a fix from their side:

https://forum.opensubtitles.org/viewtopi...=1&t=16118

[ashlar]

@birdwatcher please update and adress said issues here on the forum. In their own separate thread with debug logs.

This does not solve the problem for older installation of Kodi that surely must number in the thousands (if not tens of thousands or more, I don't know).

Again, one thing is features. You want new ones, you upgrade. But security really should be handled differently.
Pretty please.

[thorazine74]

This looks like a serious security hole that seems to be closed with a rather simple looking one line regex.

How can not this be backported to previous versions?
If this is not going to happen an statement should be made warning everybody that the official team only supports latest version even for serious security issues.

Also the vulnerability description here: https://www.checkpoint.com/defense/advis...nerability states that the flaw exists on the opensubtitles addon, not in Kodi's core. However the patch above is against Kodi core, is this a preemptive approach (patch the zip service the addons use) or is the vulnerability above wrongly assigned to just the opensubtitles addon?

[thaJack]

we fixed the issue recently: https://github.com/xbmc/xbmc/pull/12024
it's included in the upcoming kodi v17.2 release

I am currently unable to update because I am running old Revo 3610s and they seem to have a problem with playing videos in newer versions of Kodi. Is there any way for me to protect myself from this vulnerability while still using an old version of XBMC/Kodi?

[thaJack]

Does this mean things are good now even in older versions? I know it's best to upgrade if we can, but not all of us can.

https://forum.opensubtitles.org/viewtopi...=1&t=16119

[imadunatic]

Is this only if we download subtitles via Kodi? I have subliminal gather SRT files first and place them in the video directory, I believe this is safe but I can't find the answer on this (only questions, like birdwatcher asked above)...

[spantazi]

Replacing this line in the Opensubtitles addon: https://github.com/opensubtitles/service...ice.py#L96

To something like this (maybe someone can improve this), should work.

Code:

import zipfile, re
zin = zipfile.ZipFile(zip,  'r')
for item in zin.infolist():
    if re.search(r"((^|/|\\)\.{2}($|/|\\))", item.filename, re.IGNORECASE | re.MULTILINE):
        continue
    else:
        zin.extract(item, __temp__)

+1 for the fix in opensubtitles addon. As far as i understood from the kodi github repo the XBMC.Extract function was vulnerably to path traversal, so if you cannot update to the latest Kodi version, you can replace the Extract function calls in every subtitles addon with custom code so that you can still extract safely only the part of the subtitles zip file that you need. Be careful though, the python zipfile library is also vulnerable to path traversals before python 2.7.4. Jarvis and previous version makes use of python 2.6, so the regular expression check is a must, otherwise if you call .extractall you put your Kodi into risk!