Once More Into The Fray
In the world of Information Security, the focus has always been on enterprise applications and infrastructure. The industry naturally, and understandably, focusses on identifying vulnerabilities within applications that are expected to be deployed across enterprise environments. From Microsoft Office and Adobe, all the way through to Windows Media Player, the possible exposure that can be exploited from vulnerability’s in such widespread applications can be catastrophic and so it is understandable that these applications have received such focus over the years.
On the surface, it is clearly an approach that makes sense, however very few organizations really invest sufficient time and resources into controlling the applications installed across devices within their environment. For instance, many organizations permit users to install applications at will, and as the proliferation of BYOD continues to spread, organizations are quickly losing sight of exactly what applications are in use within their environment.
With so little control over the applications which could be present across an enterprise, is the industry’s approach correct when it comes to vulnerability research or should more focus be invested not only into expected enterprise applications, but also into the unexpected and open source solutions that are out there.
In this blog we will take a look into the world’s most popular open source media center and examine just how safe users are when they introduce this application into their environment.
Kodi – The Modern Attack Vector
Kodi is a very popular, free & open source software media centre for playing almost anything you can think of. While Kodi does not come with any content offering itself, it allows users to stream Movies, TV, Music and most other types of content from storage media in their own network or across the internet from other services. What makes Kodi so powerful is the ability to add more content by way of “Add-Ons”. There is a library of trusted additions which can be added which give you a slick interface to browse content such as TED or YouTube. The Add-On options supported by Kodi are impressive and thanks to the open framework Kodi uses, with a little time, anyone could create their own custom add-on to stream their own content. In fact, Kodi provide a guide on exactly how to do this over on their wiki pages. http://kodi.wiki/view/Add-on_development
The problem with open frameworks when it comes to application security is that it opens the door for abuse, and despite a warning the Kodi developers have posted on their website; there is a vast sea of “Add-Ons” which exist purely to support the sharing of copyrighted media.
Honour Amongst Thieves
Millions of people use these underground Add-ons and its infrastructure is quickly growing to be one of the largest file sharing platforms in existence, and that’s easy to believe for a service which stands on a free media application, sharing the latest media, often presented in a slick interface almost as well presented as Netflix. It’s several strides forward from the old days of asking “Kev” at the local for a VHS copy of the latest blockbuster only to be provided an inaudible copy 3 weeks later which has last weeks “The Bill” taped over the ending.
Of course the legality of the service is certainly an issue, but not one for today’s topic.
Today’s blog is really all about the Add-Ons Kodi supports and what type of risks the average user is being exposed to, simply by using Kodi and installing some of these “Add Ons”.
Unlike the Apple AppStore or Google Play, there is no real marketplace for Kodi Add-ons. There are no requirements a developer has to meet and no checks done against an Add-on before they are distributed. It’s simply a case of someone posting on social media “here is a link to my latest Add-On”. From there anyone can install that service and begin streaming whatever content is provided.
Sound Simple… It Is.
Now, since there is no marketplace for these Add-Ons forcing any type of standard and no one has the job of checking them all, what is stopping developers from using these “Add-ons” to spread malware or use them for other nefarious purposes? The answer of course, is nothing…
While it’s common knowledge within the Kodi community that security is an issue, you may be surprised to find there are very few examples of exactly how the Add-On framework can be exploited in order to attack an unsuspecting user.
So after lots of talk about copyright material and malware inside Kodi, what does it all actually mean and what’s the worst that can happen.
The short answer is that your entire system and other connected devices are potentially at risk. An attacker is able to create or modify an existing Add-On, release it to the community and gain access to each device that Add-On is run on.
It works like this;
Kodi is able to interpret Add-Ons which contain executable scripts such as .py (python) scripts. Most Add-Ons contain these and they are used legitimately to provide content or a function within an Add-On. Kodi Add-Ons also use an .XML file to map which resources within the Add-On should be called at run time.
An attacker is able to either replace a legitimate .py file with a malicious one, or simply inject malicious code into an existing .py script which allows the intended function to work as normal, but will also execute the malicious code. That way, when the .XML file calls a particular script, the attacker’s malware is executed.
In simple terms, think of the .XML file as a “Contents Page” and the .py files as the chapters of a book. When you want to find a specific chapter, you check the contents page and then you can go straight to that page.
Now, if an attacker wanted you to read some misinformation, they could edit the text of a particular chapter of a book and wait for you to read that chapter. When you do, you will read the misinformation the attacker has injected onto that page.
This is how it’s done.
1: First, Create the code.
I used msfvenom to generate a python reverse shell but Veil-Evasion could also be used for this (no AV detected the msfvenom payload during my tests). When executed this will initiate a connection back from the infected machine to my attacker machine and allow remote access. A few arguments need to be provided including the IP address of the attacking machine and the listening port.
You can see in the code entered above that a python script has been chosen to call back to my attack machine on 192.168.1.8:443 and the output filename is pythonshell.py.
2: Arm the Add-On
Depending on how the attacker would deliver the Add-On would determine how they would arm it. For instance, if I were creating a brand new Add-On from scratch, you might obfuscate the python script as much as possible and embed it somewhere within your add on however it might take a little interaction to try and trick people into installing a brand new & unknown Add-On. There are tons of clones of the same popular Add-ons for Kodi and so an attacker is much more likely to find more success by taking an already popular Add-On, injecting code into it, and redistributing it. The second method has the benefit of convincing users they downloading a well-known, tried and tested add on.
The figure below is a copy of the original .XML file which is packaged with a very popular Kodi Add-On called IceFilms. The figure shows the various modules and scrips that are called when IceFilms is run and within this .XML, we can see a python script called “Default.py” is called.
Having identified an existing .py file within the Add-Ons .XML map, called “Default.Py”, we can easily search for that file (which in this case is located in the same directory as the .XML file). Once Default.py has been located, we simply need to embed our malicious code that we created earlier somewhere within the file. In the figure below you can see the Base64 encoded string is injected at the bottom of the script just before the final commented out IceFilms line.
3: Deliver the Add-On
This is really all about creativity and Social Engineering. Can you convince the internet to use your repository to install an Add-On which will give them all the Movies and TV shows they can think of, for free!!
The attacker hosts the Add-On somewhere and begins spreading the good word to the community. Sure enough, it will be downloaded. All that’s left to do is start a listener for the infected machines to connect back to.
The above image shows the Metasploit multihandler in use waiting for connections back to 192.168.1.8:443.
4: Get Shell
That’s it, leave the rest to fate. The attacker simply needs to let users run the Trojan Add-On and one by one they will begin checking in with the Attackers machine. In my machine below, you can see I have launched Kodi, the popcorn is in the microwave and the lights are down. I just need to launch IceFilms and I’m set.
Once I hit launch, Kodi checks the .XML file for instructions and calls our hot file, Default.py. When this occurs, a network socket is opened and a remote session is established with the Attackers machine.
You can see the connection occur in the image below where a connection is received from my compromised machine on 192.168.1.7 to the attack machine on 192.168.1.8 and a session is created.
Once this session is created, the attacker has full access to your environment; from here the attacker can query who is logged in and what system you are using.
The attacker can view and upload/download files to and from your machine and even take a snap of you using your webcam or record your microphone. You can find out more about the Meterpreter capabilities over on Offensive-Security.com
I have successfully executed this attack on Windows, MAC OSX and Android devices, using the same method. Because Kodi natively supports python binaries, the Trojan Add-On technique has so far worked on all types of devices I have tested it on which means that based on this single POC, anyone using Kodi Add-Ons from questionable sources could be putting their data at serious risk regardless of device or OS.
Once successfully infected, the compromised machine can be uses as a pivot to move laterally within the environment where it resides. If Kodi is installed on a machine used for work with VPN access then pivoting into a controlled environment becomes almost inevitable.
Running Kodi on a dedicated media box at home running an Android OS is a very popular way of using Kodi however would still allow for exploitation and could very easily put other devices within the environment at risk as an attacker begins to enumerate the network and gain additional footholds within your environment.
Downloading a malicious Add-on is akin to downloading any other type of malware. You really have no idea what exactly is included within that download and so the best mitigation is of course to avoid downloading Add-Ons for Kodi at all, especially from untrusted sources.
If you must download Add-Ons, Kodi provide a convenient list of endorsed Add-Ons here: http://addons.kodi.tv/
For those determined on picking up Add-Ons from the darkest corners of the web, a simple Yara script can be used to scan the Kodi Add-on directories for key strings which might be associated with this type of activity. You can find countless examples of these out there on the web.
Remember…The best way to win a fight is avoid one altogether.
The Devolution of Application Security
In 2015 a significant number of Apps in the Apple AppStore were found to have been compiled using malware dubbed XcodeGhost. FireEye speculated that more than 4000 apps could have been created and released to the public using XcodeGhost malware. Though no official figure has been released, Security Vendor Palo Alto speculated that the number of devices infected with this malware reaches into the hundreds of millions (Source).
Similarly Google Play has recently removed a number of malicious apps from its store after they were identified by the community and found to contain Brain Test malware.
Operating System vendors such as Apple and Google are tasked with protecting devices and users against malware via auditing the apps available on their respective Software Repositories. The expectation has been set by the end user community that they will be protected when using Apple and Googles operating systems and so the responsibility to ensure that protection has fallen at the feet of the OS Developers. After all, isn’t that why these devices come at a premium?
While vendors are clearly taking steps to improve the security of the applications they offer, it’s blindingly obvious that whatever it is that they are doing, simply isn’t enough.
As Application Security becomes a bigger issue and moves further towards the forefront of community expectations, perhaps paid-ware vendors will do more to validate apps before they can be released to the community and ultimately take more precautions to protect their users. Surely the price tags on these devices warrant that effort.
At the other end of the spectrum, Free-Ware and Open Source solutions are gliding under the radar and are seemingly left behind in the dark ages of App-Sec. Users do not demand the same protection from developers who are publishing Free-Ware and are happy to install those applications on their devices introducing vulnerabilities and risks without question. Certainly in the context of Kodi and community Add-Ons, users are unknowingly making a choice between the Security of their devices and watching the latest movie or TV show.
Of course this is a much bigger issue than just Kodi. Paid Software will almost always provide better support and security than free-ware. We expect that, and for most of us, a lack of support is acceptable when using a free product but should we compromise on the security of our devices or should we continue to evolve in all markets of Application Security. The community is the driving force in this industry as much as any other and until the demand for more secure development increases, Free-Ware vendors will continue to publish products of questionable quality and put users at risk.
When contacted, a representative of Kodi said “I don’t see the point of making a bigger deal of this issue, so we will not be adding a statement or linking on our blog.”
They then went on to say, “we would actively love help from the community in the form of pull requests to help improve the addon system and make it a safer app if there’s a concern”.
If you do have suggestions or can help Kodi to secure their application, you can get involved in their community over at https://github.com/xbmc/xbmc
Subscribe over on the right hand side of this page to receive the latest updates and blogs. We never share subscriber details.