URGENT vulnerability in ALL OSMC systems

vuln_reporer · 30 September 2017 00:43

Halo

I am a Security Researcher at a University. I found serious vulnerability. Any one can compromise an OSMC system and any connected device on network because all OSMC packages can be pretended to be made by the OSMC

OSMC APT key has been leaked on your OWN apt server at http://apt.osmc.tv

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)

mQENBFORIlABCADIMlOrHEHNk43TuhQ2PZwoN5653WzK3UHfbDA9N/dIFEaWl2N1
eMOkKId2TSAL8bnaXu/9qh/hXsP78IPCujEB6jjvC5qXB0LNOqcQy5aFbXFzmQ9E
NGp1B+mzT35spGc/CwI6cpmY++HjQEVid1+2kzU/4Za+UGlLoULgaFzem9xFT3+F
4epBzLOrHefID4Y5GvIOYd2EQCkreBzIj5WrrjF61UOmA6iamjUM7e68xbyuql3f
HHrWfeUVnOPI5RzzELrY4uPf2vFZKkChI34BovcZLneOHNwN5aCO4l/jBXO+elTS
X/02ID9PidZl2imi983ZVkIh5/D1M1e94dk/ABEBAAG0JlNhbSBHIE5hemFya28g
PGVtYWlsQHNhbW5hemFya28uY28udWs+iQE4BBMBAgAiBQJTkSJQAhsDBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBVOyWnZsdizMLoB/93RaGJZa2prtl1quYu
jVoCgYEQloxT59P9favDl9LS3EcxM538b9SaoJQBly/9o68RgF4t0KtYY8ijkHPW
mCIdARRK2WiwGwSAKPuSyp8BT+HmkBi/TxVdxGt69e4Zr4iugAC5lQzbb1GBUSJN
lZcgMqisiqZaT8K6zM70rBWniF+6lWqaIyenon4ISspT0uM4XPQBBisGYLjfdqmp
q9pXY3rHhiSqXLporysI3e9M32IJ2ML6pKhjY5PZ+M83GEfyNITi/xExj8yIyxHl
rKoAtmTNcsWSX+XELFzF+AA8zwSMhQ5RD6w8tRdffqU4U8SotM+loT4iKIeKQQtJ
Obb2uQENBFORIlABCAC/Pmhc179RaAF0IgZgFVSjEjrBmzFEC4hugrXUbaJzOWng
o7N6LGLvl1jRFT5YmfNMDHZ7B1KyrxR1pfNHdxBY5EqeTbqVl4KNNuxMZGOoSY6n
RjAPhNVVi3YZb1nxghojTLuZU6XVC+KoTdH1zw+ho35TYKB/N8aHWXyADB1PSQ20
iEiVl2XPvPGYMuvhICMNLjuw7Po5m8rKkM29nw2lPvgxYomrT2THx0eXBgKvGkGd
A0ruOrHPhwUv1sT1kvem4rN4z1pJWdOoSKSHpVa/mRFb83pzCUXhrd2BBuCpe4a2
T+fdbdY3zjkm5epNuAVbQ+gQqDuCSP69smzocCDDABEBAAGJAR8EGAECAAkFAlOR
IlACGwwACgkQVTslp2bHYszLzAf+ISQ/qLfRKqmpGgfYWhhbKwc6sZy86qhYnNAU
0PcMKWgJDi9lNsns/XHxj3GG4uZmlIcL0iJb52n7pM/C1PeT7c2Yxicm1gsI5GfR
ZEVwNdCS2Ugh51s1Kkp4TJ4tZ/JETRPe5oOmZ/UsAEphdTTAGG9WGmYAMgaiEQis
19Ng7eWIpyGB6KOmcAo2UhJRoB6lZ3UuL/vTji5FuY/b984EZSQrg25SUWSui+tu
iisy+HZS8A7SVW9IdE35t2ci8bQaC+OXzQH2hoP2COlxm1Dfyf7Ax7MGUsZzGIsa
0oqxYN13MxJC12BILM4oF4PpP4k4GIFxBJE6+fQ+p+GM4dc6/w==
=MgCY
-----END PGP PUBLIC KEY BLOCK-----

I can sign any package as OSMC

Steps to resolve are to admit mistake revoke key and suggest everyone reinstalls the OSMC

You should be aware of such massive security problems and ashamed as it is 2017 how do you get this wrong

sam_nazarko · 30 September 2017 00:51

TLDR: No security issue

Hi,

First and foremost, I’d like to say thanks for reporting what could have been a potential security issue in OSMC.

In future, we’d appreciate being contacted directly first so that we can address such issues promptly and before they can be used in a malicious manner.

The APT key that you have referred to however is a public key and is used for verifying that packages are indeed signed by OSMC. There is no security risk here and there is no possibility for a malicious actor to sign an OSMC package using the public key.

I would normally expand on this in further detail but understand you are a security researcher, so I suspect it’s not necessary to elaborate.

In the unlikely event that you do find an issue with OSMC’s package signing, I implore you to contact me directly. I’ve PM’d you contact details.

Thanks for your reports and your interest in improving OSMC for everyone.

Sam

vuln_reporer · 30 September 2017 01:06

sorry I made a mistake

The OSMC is secure it is just key to verify sign

I report new problems to you if the even exist direct thanks for PM it is amazing to receive such a quick response from a developer

sam_nazarko · 30 September 2017 02:34

Hi,

Thank you for your follow up.

We appreciate your investigation, as well as the clarification that you couldn’t find a vulnerability in OSMC’s package signing mechanism.

We much prefer to receive reports of all suspected vulnerabilities, regardless of their outcome. I hope that in the unlikely event you do embark upon a security issue in OSMC you reported it to us directly in the future

Sam