Wednesday, 24 June 2015

Kodi Media Center (XBMC) Vulnerable To MITM Attacks

The popular media center Kodi, formerly known as XBMC, contains a vulnerability which attackers between a user and the Internet are able to attack the system. Through Kodi allows users movies, music and other media, for example playback on their TV or sound system.

The software contains a collection of add-ons that allow users popular services like YouTube, Grooveshark and Dropbox can access. Each time Kodi is started watching the software or pre-installed add-ons updates. In the case of a new version is automatically downloaded and installed. The update check takes place entirely over HTTP without encryption, as discovered the Romanian antivirus company BitDefender .

The software asks during the update check to a MD5 hash for the last addons.xml file, which contains information about add-ons. An attacker can send back, in this case a random MD5 hash, which does not have to correspond to the file that is then presented. The attacker could send a specially prepared following addons.xml file indicating that a new version for a particular add-on is available. Then, the attacker must send the correct MD5 hash for his malicious add-on. Once Kodi this add-on installs the malicious Python code running in the add-on to the system.

For their demonstration, the researchers succeeded to download an executable file and place it in the startup directory of the system. It should be noted that an attacker the same privileges as the user running Kodi. Eventually they managed also to steal login details for YouTube and could Dropbox add-on change, so when starting or synchronizing files all content from the local Dropbox directory to a specified FTP server was sent. The Kodi developers are informed by Bitdefender and working on an update. When that appears is unknown.