Information

A vulnerability exists when an add-on downloads subtitles as a ZIP file.
Since the extraction of a ZIP file is done using a built-in XBMC extract function, a bug in their code allows the zip files to contain folders named “..” which when extracted are being treated as path and allows for directory traversal which eventually leads to arbitrary file write on the system.

Poc

When being downloaded as sbutitles zip file, the path traversal bug would extract a python script poping calc.exe to the opensubtitles kodi plugin folder.


Attachments:
poc.zip

References:
https://blog.checkpoint.com/2017/07/08/hacked-translation-directors-cut-full-technical-details/
https://github.com/xbmc/xbmc/pull/12024