Kodi Local File Inclusion Vulnerability

rpersak · 5 April 2019 18:53

hello,

i’ve scanned my rpi for vulnerabilities and found out it has CVE-2017-5982 vulnerability…
You can try it out:
http://ip_of_your_osmc/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd

osmc@osmc:~$ grep Kodi .kodi/temp/kodi.log | head -3
16:38:52.909 T:1925374544 NOTICE: Starting Kodi (17.6). Platform: Linux ARM (Thumb) 32-bit
16:38:52.909 T:1925374544 NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
16:38:52.909 T:1925374544 NOTICE: Kodi compiled Dec 31 2018 by GCC 6.3.0 for Linux ARM (Thumb) 32-bit version 4.9.30 (264478)

gb160 · 5 April 2019 19:53

That’s pretty interesting

sam_nazarko · 5 April 2019 20:13

Indeed — there is no resolution for this in Kodi v17.

You may wish to disable the web server

Toast · 6 April 2019 09:53

The webserver in kodi has been plauged by issues for a long time if you dont need it disable it or make it only respond on your lan via iptables.

iptables -A INPUT -p tcp --dport 80 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP