Security issues in XBMC

  Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Post Reply
ChessSpider Offline
Junior Member
Posts: 21
Joined: Nov 2012
Reputation: 0
Post: #46
(2017-02-16 20:08)Martijn Wrote:  Here's the code
https://github.com/xbmc/xbmc


Patches welcome

<3
find quote
Memphiz Offline
Kodi MVP
Posts: 16,020
Joined: Feb 2011
Reputation: 225
Location: germany
Post: #47
The second exploit (fetching /etc/passwd) only works because kodi runs as user root which is a really bad idea - just mentioning it ...

AppleTV4/iPhone/iPod/iPad: HowTo find debug logs and everything else which the devs like so much: click here
HowTo setup NFS for Kodi: NFS (wiki)
HowTo configure avahi (zeroconf): Avahi_Zeroconf (wiki)
READ THE IOS FAQ!: iOS FAQ (wiki)
find quote
stefansaraev Offline
Retired Team-Kodi Member
Posts: 230
Joined: Oct 2013
Reputation: 8
Post: #48
(2017-02-17 21:05)Memphiz Wrote:  The second exploit (fetching /etc/passwd) only works because kodi runs as user root which is a really bad idea - just mentioning it ...

you know you are wrong..
find quote
stefansaraev Offline
Retired Team-Kodi Member
Posts: 230
Joined: Oct 2013
Reputation: 8
Post: #49
btw. a team kodi member told me today that it is possible to (re)-write files via kodi's webserver. is that true?
find quote
Montellese Offline
Team Kodi Developer
Posts: 4,836
Joined: Jan 2009
Reputation: 72
Location: Switzerland
Post: #50
The webserver has no PUT or POST support with file access.

Always read the online manual (wiki), FAQ (wiki) and search the forum before posting.
Do not e-mail Team Kodi members directly asking for support. Read/follow the forum rules (wiki).
Please read the pages on troubleshooting (wiki) and bug reporting (wiki) before reporting issues.
find quote
da-anda Offline
Team-Kodi Member
Posts: 5,781
Joined: Jun 2009
Reputation: 77
Location: germany
Post: #51
but if you can execute bash commands, can't you submit the content (new password) you'd like to inject via the GET request?
find quote
Montellese Offline
Team Kodi Developer
Posts: 4,836
Joined: Jan 2009
Reputation: 72
Location: Switzerland
Post: #52
How do you execute bash commands? The webserver itself doesn't support that. If it's possible through JSON-RPC and Input.ExecuteAction that would be a problem with builtins.

Always read the online manual (wiki), FAQ (wiki) and search the forum before posting.
Do not e-mail Team Kodi members directly asking for support. Read/follow the forum rules (wiki).
Please read the pages on troubleshooting (wiki) and bug reporting (wiki) before reporting issues.
find quote
Memphiz Offline
Kodi MVP
Posts: 16,020
Joined: Feb 2011
Reputation: 225
Location: germany
Post: #53
(2017-02-17 21:20)stefansaraev Wrote:  
(2017-02-17 21:05)Memphiz Wrote:  The second exploit (fetching /etc/passwd) only works because kodi runs as user root which is a really bad idea - just mentioning it ...

you know you are wrong..


No i don't else i wouldn't have posted. Where is my error?

AppleTV4/iPhone/iPod/iPad: HowTo find debug logs and everything else which the devs like so much: click here
HowTo setup NFS for Kodi: NFS (wiki)
HowTo configure avahi (zeroconf): Avahi_Zeroconf (wiki)
READ THE IOS FAQ!: iOS FAQ (wiki)
find quote
ChessSpider Offline
Junior Member
Posts: 21
Joined: Nov 2012
Reputation: 0
Post: #54
(2017-02-18 12:07)Memphiz Wrote:  
(2017-02-17 21:20)stefansaraev Wrote:  
(2017-02-17 21:05)Memphiz Wrote:  The second exploit (fetching /etc/passwd) only works because kodi runs as user root which is a really bad idea - just mentioning it ...

you know you are wrong..


No i don't else i wouldn't have posted. Where is my error?

/etc/passwd is readable for everyone, you're probably confusing it with /etc/shadow.

/etc/shadow contains the hashed passwords of all the users on the system and can only be read by root by default. One particular kodi distribution, openelec, runs Kodi as root by default. Instances of openelec can be found on the internet using Shodan

But hey, openelec uses a hardcoded root password anyway:

Quote:What is the SSH login?

Shortcut: #SSH Login

Currently the login into OpenELEC has fixed settings.

Login: root
Password: openelec

Note that these values are case-sensitive.
(http://wiki.openelec.tv/index.php/OpenEL...use_SSH.3F)

so yeah, yolo
(This post was last modified: 2017-02-18 12:23 by ChessSpider.)
find quote
da-anda Offline
Team-Kodi Member
Posts: 5,781
Joined: Jun 2009
Reputation: 77
Location: germany
Post: #55
(2017-02-18 11:13)Montellese Wrote:  How do you execute bash commands? The webserver itself doesn't support that. If it's possible through JSON-RPC and Input.ExecuteAction that would be a problem with builtins.
fritsch mentioned something about requesting an image via JSON-RPC and adding a pipe at the end to execute another command. He asked if someone running LE could test a certain request, so I assumed he wanted to give one of the mentioned exploits a try
find quote
Post Reply