Related Vulnerabilities: CVE-2017-5982

Source

Debian Bug report logs - #855225
kodi: CVE-2017-5982: Unrestricted file download

Package: src:kodi; Maintainer for src:kodi is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Affects: xbmc

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 15 Feb 2017 18:06:01 UTC

Severity: important

Tags: confirmed, security, upstream

Found in version kodi/15.1+dfsg1-1

Forwarded to http://trac.kodi.tv/ticket/17314

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#855225; Package src:kodi. (Wed, 15 Feb 2017 18:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 15 Feb 2017 18:06:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: kodi
Severity: important
Tags: upstream security
Forwarded: http://trac.kodi.tv/ticket/17314

Hi,

the following vulnerability was published for kodi. I did not had the
time to verify if 17.0 is affected. Could you please check and add
according found versions to this bug please or otherwise close after
checking?

CVE-2017-5982[0]:
local file inclusion

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5982

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#855225; Package src:kodi. (Wed, 15 Feb 2017 20:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to balint@balintreczey.hu:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 15 Feb 2017 20:45:03 GMT) (full text, mbox, link).

Message #10 received at 855225@bugs.debian.org (full text, mbox, reply):

Control: tags -1 confirmed
Control: found -1 15.1+dfsg1-1


2017-02-15 19:03 GMT+01:00 Salvatore Bonaccorso <carnil@debian.org>:
> Source: kodi
> Severity: important
> Tags: upstream security
> Forwarded: http://trac.kodi.tv/ticket/17314
>
> Hi,
>
> the following vulnerability was published for kodi. I did not had the
> time to verify if 17.0 is affected. Could you please check and add
> according found versions to this bug please or otherwise close after
> checking?

Done.

Cheers,
Balint

>
> CVE-2017-5982[0]:
> local file inclusion
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-5982
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore

Added tag(s) confirmed. Request was from Bálint Réczey <balint@balintreczey.hu> to 855225-submit@bugs.debian.org. (Wed, 15 Feb 2017 20:45:03 GMT) (full text, mbox, link).

Marked as found in versions kodi/15.1+dfsg1-1. Request was from Bálint Réczey <balint@balintreczey.hu> to 855225-submit@bugs.debian.org. (Wed, 15 Feb 2017 20:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupre <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 26 Apr 2017 17:09:02 GMT) (full text, mbox, link).

Message #19 received at 855225@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

affects 85225 xbmc
package xbmc
found 85225 2:11.0~git20120510.82388d5-1
thanks

I can confirm this affects both jessie-backports and wheezy. I've been
able to access random files on my Kodi install using:

http://localhost:8080/image/image%3A%2F%2F%2e%2e%252f%2e%2e%252f%2e%2e%252f%2e%2e%252fetc%252fpasswd

Just add more %2e%2e%252f in there if that's not deep enough for you. :)

In wheezy, it's even worse - there's a /vfs/ layer that gives you plain
access to any given path, as bam discovered. But you don't even need any
"special://" protocol, this just works:

http://localhost:8080/vfs/etc/passwd

Given that XBMC 11 (wheezy) and 16 (jessie-backports) are vulnerable, I
would be very surprised if XBMC 13 had any reasonable protections in
place.

As I explained in this post on debian-lts, I'm really unsure how to fix
this issue:

https://lists.debian.org/87zif33oxf.fsf@curie.anarc.at

Should we consider this part of the design that there's basically an
open file manager in the Kodi web browser? That may sound ludicrous, but
that's the way this thing is built right now. There's *some* password
protection as well, although the password is empty by default and is
therefore disabled. A possible workaround would be to force
authentication, even if there are no passwords set. This would require
commenting out this line:

m_needcredentials = !password.IsEmpty();

in CWebServer::SetCredentials (WebServer.cpp). That way attackers would
be presented with an authentication dialog at least. There's a default
username and password, but at this point we may somehow shift the blame
to the user...

The alternative here is to start enforcing path restrictions on the
requested files in the webserver. This is a difficult operation because,
right now, files can be specified with arbitrary paths, including
relative paths with `../` or absolute paths, and there aren't clear
boundaries to where Kodi "can look": Kodi is designed to take over a
media station and serve contents from all sorts of sources...

So if we change the webserver, we also need to change the callers, and
that could prove more difficult...

[signature.asc (application/pgp-signature, inline)]

Added indication that 855225 affects xbmc Request was from Antoine Beaupré <anarcat@debian.org> to control@bugs.debian.org. (Wed, 26 Apr 2017 17:36:02 GMT) (full text, mbox, link).

Bug 855225 cloned as bug 861274 Request was from Antoine Beaupré <anarcat@debian.org> to control@bugs.debian.org. (Wed, 26 Apr 2017 19:48:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#855225; Package src:kodi. (Fri, 28 Apr 2017 17:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to balint@balintreczey.hu:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Fri, 28 Apr 2017 17:09:03 GMT) (full text, mbox, link).

Message #28 received at 855225@bugs.debian.org (full text, mbox, reply):

Hi Antoine,


Thanks for the detailed analysis!

2017-04-26 19:05 GMT+02:00 Antoine Beaupre <anarcat@orangeseeds.org>:
> affects 85225 xbmc
> package xbmc
> found 85225 2:11.0~git20120510.82388d5-1
> thanks
>
> I can confirm this affects both jessie-backports and wheezy. I've been
> able to access random files on my Kodi install using:
>
> http://localhost:8080/image/image%3A%2F%2F%2e%2e%252f%2e%2e%252f%2e%2e%252f%2e%2e%252fetc%252fpasswd
>
> Just add more %2e%2e%252f in there if that's not deep enough for you. :)
>
> In wheezy, it's even worse - there's a /vfs/ layer that gives you plain
> access to any given path, as bam discovered. But you don't even need any
> "special://" protocol, this just works:
>
> http://localhost:8080/vfs/etc/passwd
>
> Given that XBMC 11 (wheezy) and 16 (jessie-backports) are vulnerable, I
> would be very surprised if XBMC 13 had any reasonable protections in
> place.
>
> As I explained in this post on debian-lts, I'm really unsure how to fix
> this issue:
>
> https://lists.debian.org/87zif33oxf.fsf@curie.anarc.at
>
> Should we consider this part of the design that there's basically an
> open file manager in the Kodi web browser? That may sound ludicrous, but
> that's the way this thing is built right now. There's *some* password
> protection as well, although the password is empty by default and is
> therefore disabled. A possible workaround would be to force
> authentication, even if there are no passwords set. This would require
> commenting out this line:
>
>   m_needcredentials = !password.IsEmpty();
>
> in CWebServer::SetCredentials (WebServer.cpp). That way attackers would
> be presented with an authentication dialog at least. There's a default
> username and password, but at this point we may somehow shift the blame
> to the user...
>
> The alternative here is to start enforcing path restrictions on the
> requested files in the webserver. This is a difficult operation because,
> right now, files can be specified with arbitrary paths, including
> relative paths with `../` or absolute paths, and there aren't clear
> boundaries to where Kodi "can look": Kodi is designed to take over a
> media station and serve contents from all sorts of sources...
>
> So if we change the webserver, we also need to change the callers, and
> that could prove more difficult...

I have forwarded this info to upstream bug tracker but I have no high hopes in
getting the issue solved.

I plan blogging about Kodi 17.1 being in both Stretch and Zesty and mention
this issue as a reason for people to not trust any installation too much.

Cheers,
Balint

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#855225; Package src:kodi. (Sat, 29 Apr 2017 14:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sat, 29 Apr 2017 14:51:05 GMT) (full text, mbox, link).

Message #33 received at 855225@bugs.debian.org (full text, mbox, reply):

On 2017-04-28 19:07:06, Bálint Réczey wrote:

[...]

> I have forwarded this info to upstream bug tracker but I have no high hopes in
> getting the issue solved.
>
> I plan blogging about Kodi 17.1 being in both Stretch and Zesty and mention
> this issue as a reason for people to not trust any installation too much.

Thanks!

I'll also mention this in my report, hopefully this will get some
traction...

A.

-- 
Choose a job you love and you will never have to work a day in your
life.
                         - Confucius

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:13:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

kodi: CVE-2017-5982: Unrestricted file download

Debian Bug report logs - #855225
kodi: CVE-2017-5982: Unrestricted file download

Vulmon Search

About

Products

Connect

kodi: CVE-2017-5982: Unrestricted file download

Debian Bug report logs - #855225 kodi: CVE-2017-5982: Unrestricted file download

Vulmon Search

About

Products

Connect

Debian Bug report logs - #855225
kodi: CVE-2017-5982: Unrestricted file download