We found a way to gain shell on xbmcbuntu and raspbmc devices reliably. The out-of-the-box configuration of these devices is part of the attack. We're currently working on finding a way to do the attack with XBMC installed on any platform.
The vulnerability pre-requisites are:
- xbmcbuntu or raspbmc
- Allow control of XBMC via HTTP with default credentials (enabled to control XBMC with their phone remote - often used.)
At any rate we will be posting the working attacks on xbmcbuntu and raspbmc shortly.
Oh, we also found a drive file contents disclosure vulnerability in xbmc, pre-requisite being allow control of XBMC via HTTP enabled with default credentials.