BugTraq
SEC Consult SA-20150113-2 :: Cross-Site Request Forgery in XBMC / Kodi Jan 13 2015 02:02PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20150113-2 >
=======================================================================
title: Cross-Site Request Forgery
product: Kodi/XBMC
vulnerable version: XBMC/Kodi <=14
fixed version: no fixed version available
impact: medium
homepage: http://kodi.tv/
found: 2014-10-29
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Kodi (formally [sic] known as XBMC) is an award-winning free and open source (GPL)
software media player and entertainment hub that can be installed on Linux,
OSX, Windows, iOS, and Android, featuring a 10-foot user interface for use
with televisions and remote controls. It allows users to play and view most
videos, music, podcasts, and other digital media files from local and network
storage media and the internet. "

"The last time we checked our add-on statistics, we had around 1.9 million
active installs around the world."

URLs: http://kodi.tv/about/
http://kodi.tv/platform-statistics-october/

Business recommendation:
------------------------
SEC Consult recommends to disable the HTTP-Interface on XBMC/Kodi
installations until a fix is available. An attacker could potentially
gain access to sensitive information stored on the system where XBMC/Kodi
is installed.

Vulnerability overview/description:
-----------------------------------
The XBMC/Kodi media center allows users on the local network to control
the media center. A user on the local network can e.g. play movies,
simulate remote button presses etc. using the JSON-RPC interface.

Certain JSON-RPC requests do not need to contain valid Cross-Site Request
Forgery tokens. This allows an attacker to conduct Cross-Site Request Forgery
attacks against the media center. In order to conduct such an attack the
attacker has to lure the victim (that is on the same network as the media
center) on an attacker-controlled web page.

If authentication is configured for the web interface the victim has to be
authenticated (Basic Authentication) in order for this exploit to work.

An advanced exploit allows an attacker to e.g. upload local files using
the XBMC/Kodi file manager.

Proof of concept:
-----------------
The Proof of concept code has been removed since no fix is available to
mitigate this issue.

Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the XBMC/Kodi media
center version 14.0-Alpha5, which was the most recent development version
at the time of discovery. The stable release XBMC 13.2 has been verified
to be vulnerable too.

Vendor contact timeline:
------------------------
2014-10-30: Contacting team through contact AT xbmc dot org
2014-11-06: Again contacting team through contact AT xbmc dot org,
interest AT xbmc dot org and team AT xbmc dot org
2014-11-06: Initial response, team asks to verify that issue lies in
XBMC/Kodi code
2014-11-06: Stating that issue lies in XBMC/Kodi code
2014-11-06: Team provides security contact with public key
2014-11-07: Sending preliminary advisory
2014-11-30: Asking security contact whether the XBMC/Kodi
team was able to verify this issue
2014-12-05: Security contact: Vulnerability has been verified,
still discussing possible solutions
2014-12-17: Asking security contact whether the vulnerability
has been addressed, deadline for release: 2014-12-19
2014-12-18: Proposing new release date 2015-01-13 to give
the XBMC/Kodi team more time to address this issue
2014-12-22: Security contact: still discussing the issue,
trade-off between security and backwards compatibility,
release the advisory on 2015-01-13 - vulnerability will
not be fixed till then
2015-01-13: SEC Consult releases the advisory without proof of concept
code

Solution:
---------
No patch is available to fix this issue yet.

Workaround:
-----------
SEC Consult recommends to disable the HTTP interface until a fix
is available.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career (at) sec-consult (dot) com [email concealed]

EOF W. Ettliger / @2015

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUtSWCAAoJEC0t17XG7og//wsP/2ITpJh1J5Dc5B0r9isiNXvg
nhAqREaB1GDTuzx+0NuUvuSAxbOMT/eNfK6An76acE1ywjvCS+ZrAvFG4tBzXWre
zjtmKwhiTHlZB2Rfm3lyHz5+LfUkacCgNu0haAE3lflFPADUoYvwzJJTZjBDWv2c
E6XSJJMQzcPjUZxQjShSFIx2noNHrOBVug1z3HEtVyI5wYcetghIqW8BfAZJUAlN
uuTrC4/57ZGGKMZP+FG7dAMf1l0OBKBoUY1Qd6doOW0YJwUSpHmlS+PEWnSPa/S5
i9/HRC1C91R1d9RHUPAlUVj2aL+Rkf0TL5FPp4NH5duPUGTDzzRsOM9j3UtGmdHE
jN+KQHuAGVi1qegJNGFqeFop1ms95Eah4CiNa+IO39QITESqxF2KoAq9ZSWxGkWJ
G/6/bnN1pmkU05r+NwPicspZJZHhvzOpMkeLq20p4lLfR0rnp4OnIA3DSG888v3q
wbQ7eZ+vDrJ7iVnthP0dj9j0byh8Uv4i726wW7P2dBdGRPXaREfXGRjUy72H27jB
zcMmw9shEq/h26hmX9O6A+mvhrWQtJ/9DYVt5xTHSQQ8LCxpwKgA4nBE+Pke8YvD
BmP4uWEY1AvHS6xz6UsI3f+gZAj01kPh/J9a506A4oHIPYn+sbPgims0Dd+0b84a
GqU4ooMT8A89/gv/uI7+
=Y7ss
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus