Kodi Multiple Issues
HighSynopsis
While investigating Kodi, Tenable found two issues. After discussions with Kodi, we hesitate to call these vulnerabilities, but the issues are severe and unexpected enough that we felt an advisory should be issued.
Unauthenticated Remote Code Execution via HTTP Requests
By default, Kodi's HTTP server is disabled. However, when enabled, the server's default setting is to not require authentication. Kodi's HTTP server also supports the JSON-RPC API which allows remote users to control the local Kodi UI via HTTP requests. As such, a remote unauthenticated attacker can a install malicious package by sending mouse clicks and keystrokes via HTTP.
A proof of concept video follows. The attack is launched against Kodi 19.0 alpha. The script, available on our GitHub, enables third party packages, adds a new SMB source, and installs a package that configures a bind shell on port 1270. Note that this script would need to be modified for Kodi versions below 19 since the local UI is slightly different.
As stated above, we hesitate to call this a vulnerability since this appears to be an intended feature. However, we believe a normal user is unlikely to understand that enabling the web interface allows remote users to take full control of their system. Shodan reveals a number of vulnerable targets, and that doesn't account for internal targets that could be attacked via javascript (see: sonar.js).
In response to this finding, the Kodi community has begun discussing requiring authentication on the HTTP interface. See the following pull request for more details: 17359.
Lock Screen Bypass
In an attempt to mitigate the above, we enabled the Master Lock feature. This feature enables a login screen in the local UI on start up. In theory, a user can only bypass this view via successful authentication. However, we found that simply sending an Input.Home JSON RPC message transitioned the local UI away from the login screen. From there an attacker could, more or less, do as they pleased. The video PoC above actually has the Master Lock enabled.
In response to this finding, Kodi updated their wiki to state the following about the Master Lock:
Note: This feature only protects the Kodi interface from, say, curious children. It will not protect the content and settings files outside of Kodi from being accessed via the operating system. Also, it may be bypassed via the web interface or other add-ons and advanced Kodi features.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Jacob Baines
