[PATCH] Serious Security Issue with UPnPServer.cpp

  Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Post Reply
« Next Oldest | Next Newest»
Pavel Mironchyk Offline
Junior Member
 Posts: 2
Joined: Feb 2013
Reputation: 0
2013-02-01 15:00 Post: #1
Dear All,

There is a serious security hole in XBMC UPnP server (confirmed on 11.0, 12 and latest git, Win/Mac). It is possible to get access to files outside of media library. If UPnP client issues a "Browse" (BrowseDirectChildren) action request with empty ObjectID ("") XMBC server basically will return root filesystem listing. Folders and files from the listing will be cached for http access on server side and direct links will be returned in DIDL response. Due to this, it becomes possible to browse all subfolders starting from root "/" and have http access to any individual file.

Concluding, because of this issue, a potential adversary can get access to any file on machine via UPnP Server of XBMC.

I just create a pull request on github. See link to patch : https://github.com/pamiro/xbmc/commit/70...1b9bcea33c

Best regards,
Pavel Mironchyk
(This post was last modified: 2013-02-01 15:34 by Pavel Mironchyk.)
find quote
Pavel Mironchyk Offline
Junior Member
 Posts: 2
Joined: Feb 2013
Reputation: 0
2013-02-01 16:58 Post: #2
On how to reproduce issue using client Cling UPnP workbench.

1. Install XBMC. Start it, make sure that "Share video and music libraries through UPnP".
2. Get Cling Workbench http://4thline.org/projects/cling/workbench/
This is just nice application to invoke UPnP actions manually.
3. In cling workbench locate XBMC server, select "ContentDirectory->Browse", click on "Invoke Action" button.
4. Use the following parameters for InvokeAction:
ObjectID: << NULL >>
BrowseFlag: BrowseDirectChildren
StartingIndex: 0
RequestCount: 100
SortCriteria: << NULL >>
The click on Invoke
5. Check the DIDL result

Below is what I am getting on my Mac:

</DIDL-Lite>
...
<container id="/Volumes/" parentID="" restricted="1" searchable="1">
<dc:title>Volumes</dc:title>
<dc:creator>Unknown</dc:creator>
<upnp:genre>Unknown</upnp:genre>
<upnp:class>object.container</upnp:class>
</container>
<item id="/mach_kernel" parentID="" restricted="1">
<dc:title>mach_kernel</dc:title>
<dc:creator>Unknown</dc:creator>
<dc:date>23/08/2012</dc:date>
<upnp:genre>Unknown</upnp:genre>
<res protocolInfo="http-get:*:application/octet-stream:*">http://192.168.0.106:61337/%2525/10C0284FE0494C8BFAD9052DEFF86E0F%252Fmach_kernel</res>
<upnp:class>object.item</upnp:class>
</item>
...
</DIDL-Lite>

If open link http://192.168.0.106:61337/%2525/10C0284...ach_kernel
I get to kernel of my OS. And I can invoke browse to other containers like /Volumes/.
find quote
Post Reply
Contact Us | XBMC Home | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication