Cross-Site Request Forgery in Kodi/XBMC

SEC Consult Vulnerability Lab Security Advisory < 20150113-2 >

=======================================================================

title: Cross-Site Request Forgery

product: Kodi/XBMC

vulnerable version: XBMC/Kodi <=14

fixed version: no fixed version available

impact: medium

homepage: kodi.tv

found: 2014-10-29

by: W. Ettlinger

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"Kodi (formally [sic] known as XBMC) is an award-winning free and open source (GPL)

software media player and entertainment hub that can be installed on Linux,

OSX, Windows, iOS, and Android, featuring a 10-foot user interface for use

with televisions and remote controls. It allows users to play and view most

videos, music, podcasts, and other digital media files from local and network

storage media and the internet. "

 

"The last time we checked our add-on statistics, we had around 1.9 million

active installs around the world."

 

URLs: kodi.tv/about/

kodi.tv/platform-statistics-october/

 

 

Business recommendation:

------------------------

SEC Consult recommends to disable the HTTP-Interface on XBMC/Kodi

installations until a fix is available. An attacker could potentially

gain access to sensitive information stored on the system where XBMC/Kodi

is installed.

 

 

Vulnerability overview/description:

-----------------------------------

The XBMC/Kodi media center allows users on the local network to control

the media center. A user on the local network can e.g. play movies,

simulate remote button presses etc. using the JSON-RPC interface.

 

Certain JSON-RPC requests do not need to contain valid Cross-Site Request

Forgery tokens. This allows an attacker to conduct Cross-Site Request Forgery

attacks against the media center. In order to conduct such an attack the

attacker has to lure the victim (that is on the same network as the media

center) on an attacker-controlled web page.

 

If authentication is configured for the web interface the victim has to be

authenticated (Basic Authentication) in order for this exploit to work.

 

An advanced exploit allows an attacker to e.g. upload local files using

the XBMC/Kodi file manager.

 

 

Proof of concept:

-----------------

The Proof of concept code has been removed since no fix is available to

mitigate this issue.

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in the XBMC/Kodi media

center version 14.0-Alpha5, which was the most recent development version

at the time of discovery. The stable release XBMC 13.2 has been verified

to be vulnerable too.

 

 

Vendor contact timeline:

------------------------

2014-10-30: Contacting team through contact AT xbmc dot org

2014-11-06: Again contacting team through contact AT xbmc dot org,

interest AT xbmc dot org and team AT xbmc dot org

2014-11-06: Initial response, team asks to verify that issue lies in

XBMC/Kodi code

2014-11-06: Stating that issue lies in XBMC/Kodi code

2014-11-06: Team provides security contact with public key

2014-11-07: Sending preliminary advisory

2014-11-30: Asking security contact whether the XBMC/Kodi

team was able to verify this issue

2014-12-05: Security contact: Vulnerability has been verified,

still discussing possible solutions

2014-12-17: Asking security contact whether the vulnerability

has been addressed, deadline for release: 2014-12-19

2014-12-18: Proposing new release date 2015-01-13 to give

the XBMC/Kodi team more time to address this issue

2014-12-22: Security contact: still discussing the issue,

trade-off between security and backwards compatibility,

release the advisory on 2015-01-13 - vulnerability will

not be fixed till then

2015-01-13: SEC Consult releases the advisory without proof of concept

code

 

 

Solution:

---------

No patch is available to fix this issue yet.

 

 

Workaround:

-----------

SEC Consult recommends to disable the HTTP interface until a fix

is available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF W. Ettliger / @2015