SEC Consult Vulnerability Lab Security Advisory < 20150113-2 > ======================================================================= title: Cross-Site Request Forgery product: Kodi/XBMC vulnerable version: XBMC/Kodi <=14 fixed version: no fixed version available impact: medium homepage: http://kodi.tv/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Kodi (formally [sic] known as XBMC) is an award-winning free and open source (GPL) software media player and entertainment hub that can be installed on Linux, OSX, Windows, iOS, and Android, featuring a 10-foot user interface for use with televisions and remote controls. It allows users to play and view most videos, music, podcasts, and other digital media files from local and network storage media and the internet. " "The last time we checked our add-on statistics, we had around 1.9 million active installs around the world." URLs: http://kodi.tv/about/ http://kodi.tv/platform-statistics-october/ Business recommendation: ------------------------ SEC Consult recommends to disable the HTTP-Interface on XBMC/Kodi installations until a fix is available. An attacker could potentially gain access to sensitive information stored on the system where XBMC/Kodi is installed. Vulnerability overview/description: ----------------------------------- The XBMC/Kodi media center allows users on the local network to control the media center. A user on the local network can e.g. play movies, simulate remote button presses etc. using the JSON-RPC interface. Certain JSON-RPC requests do not need to contain valid Cross-Site Request Forgery tokens. This allows an attacker to conduct Cross-Site Request Forgery attacks against the media center. In order to conduct such an attack the attacker has to lure the victim (that is on the same network as the media center) on an attacker-controlled web page. If authentication is configured for the web interface the victim has to be authenticated (Basic Authentication) in order for this exploit to work. An advanced exploit allows an attacker to e.g. upload local files using the XBMC/Kodi file manager. Proof of concept: ----------------- The Proof of concept code has been removed since no fix is available to mitigate this issue. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the XBMC/Kodi media center version 14.0-Alpha5, which was the most recent development version at the time of discovery. The stable release XBMC 13.2 has been verified to be vulnerable too. Vendor contact timeline: ------------------------ 2014-10-30: Contacting team through contact AT xbmc dot org 2014-11-06: Again contacting team through contact AT xbmc dot org, interest AT xbmc dot org and team AT xbmc dot org 2014-11-06: Initial response, team asks to verify that issue lies in XBMC/Kodi code 2014-11-06: Stating that issue lies in XBMC/Kodi code 2014-11-06: Team provides security contact with public key 2014-11-07: Sending preliminary advisory 2014-11-30: Asking security contact whether the XBMC/Kodi team was able to verify this issue 2014-12-05: Security contact: Vulnerability has been verified, still discussing possible solutions 2014-12-17: Asking security contact whether the vulnerability has been addressed, deadline for release: 2014-12-19 2014-12-18: Proposing new release date 2015-01-13 to give the XBMC/Kodi team more time to address this issue 2014-12-22: Security contact: still discussing the issue, trade-off between security and backwards compatibility, release the advisory on 2015-01-13 - vulnerability will not be fixed till then 2015-01-13: SEC Consult releases the advisory without proof of concept code Solution: --------- No patch is available to fix this issue yet. Workaround: ----------- SEC Consult recommends to disable the HTTP interface until a fix is available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettliger / @2015