i just want to give a reminder to all people using TVHeadend on their LibreElec or CoreElec Box to have an eye on securing the Webinterface of this service, because the TVHeadend installation wizard does not inforce that.
Yesterday i heard about a case where a member of our Kodinerds community was hacked and it seems that the entry to his network maybe was its Armlogic Box. The attacker at least gathered access to the TVHeadend Server but we cannot exclude the possibility that the attacker has gone deeper into the network.
What was the problem? It seems that the victim has had the unprotected TVHeadend Admin Panel forwarded in its router. I know that is not clever, on the other hand the TVHeadend Installation Wizard does not enforce setting a password for the admin user.
The real problem is that TVHeadend seems to be running as user root. That means that all commands run by TVHeadend are run by root.
And that is the problem. If i can gather access to the admin panel i can set a preprocessor command in the record tab which will be run as root when a recording starts.
So what i can do with it? I could spawn a reverse shell which gives me root on the victim machine in its network. It is not neccessary that SSH is activated nor do you need an portforwarding (besides that one for the TVH Webif) for it to work.
I leave it to your phantasy what is possible from that point on.
Till yesterday i didnt think about this possibility. Rendering this attack vector useless, is easy. Make sure the TVH Webif is secured by a good password and only trustwothy users have access to it.
If you need to access TVHeadend from outside your network use a VPN or at least a reverse proxy. That way it is not so easy to find your TVHeadend Server.
I can tell you it is not hard finding open TVHeadend Server via Shodan etc.
Tried that using a CoreElec box i had laying around here but i think that problem is the same on LE.