There have been some questions as to the security implications of the “web installer” available for installing the [XBMC iPhone Remote](http://tlrobinson.net/projects/xbmciphone/) and other XBMC applications. This page explains how it works and the problems with XBMC’s web server [HTTP-API](http://www.xboxmediacenter.com/wiki/index.php?title=web serverHTTP-API) which make this installer possible, as well as the solution to securing your XBMC web server.
Please note that simply installing XBMC iPhone Remote using EITHER the manual installation or web installation does NOT make your Xbox any less secure. It’s just HTML, CSS, and JavaScript, which are all harmless. There’s no server side ASP or Python code at all, other than in the web installer. Enabling XBMC’s web server in the first place (without password protection) is the problem.
Luckily there is an easy (although flawed) fix. See the “Solutions” section for instructions on how to enable password protection on the XBMC web server.
### Background ###
Any Xbox Media Center installation that has the web server enabled also has an HTTP interface that can be used to control various things on the Xbox, including pausing/playing, listing of files, etc, which are used extensively in the XBMC iPhone Remote and make it possible. It also allows you to control such things as downloading files, executing scripts, deleting files, etc, which are used in the “web installer”. Anyone who thinks about this for a moment will realize that this is rather unsafe, and could easily be used by malicious hackers to delete files, steal passwords, or gain complete control of your Xbox.
Normally this would not be a big problem because most users have their Xbox and computers on a LAN behind a home router (like Linksys, DLink, etc) so this interface isn’t available to the public Internet unless they specifically forward port 80 (HTTP) to their Xbox.
BUT, since for the web interface to be useful the user’s computer, iPhone, etc must have access to the Xbox’s web server. So the problem (or solution, in the case of the web installer) is that the user’s browser has unrestricted access to the web interface. When the user visits a webpage, that webpage could easily execute any command on the Xbox simply by loading an appropriate URL in a browser window or iframe.
Due to the [same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy) in place on web browsers, the page that executes the command cannot access the results of the command, but that doesn’t matter since we can use the API to download and execute arbitrary PYthon scripts.
### How the web installer works ###
In fact this is exactly how the web installer works. It has to bootstrap itself by downloading a simple install script, then executes that script to do the actual installation. Credit goes to LiquidIce for the original web installer, I just modified it to be a little more automated and to suit the XBMC iPhone Remote.
The user enters their Xbox’s IP address into a text field on the project page, then presses the “Install” button:
– http://tlrobinson.net/projects/xbmciphone/index.php
The “Install” button executes a little JavaScript that creates a special URL with the user’s specified IP address, the “FileUpload” command, and the file to be uploaded which is a Python script that has been encoded into [Base64](http://en.wikipedia.org/wiki/Base64):
– http://tlrobinson.net/projects/xbmciphone/webinstaller.js (the JavaScript)
– http://tlrobinson.net/projects/xbmciphone/webinstaller-iphone.spy (the Python script before Base64 encoding)
The URL looks something like this (with 192.168.1.69 replaced with the actual Xbox IP, and ABCDEFG replaced with the actual long string of Base64 encoded Python, webinstaller-iphone.spy):
http://192.168.0.69/xbmcCmds/xbmcHttp?command=FileUpload(q:/web/webinstaller-iphone.spy;ABCDEFG)
The following commands can be used on Mac OS X (and others?) to encode and decode Base64, respectively:
– openssl enc -base64 -in webinstaller-iphone.spy > webinstaller-iphone-base64.txt
– openssl enc -base64 -d -in webinstaller-iphone-base64.txt > webinstaller-iphone.spy
The URL is then loaded into the iframe, which uploads the script to Q:/web/webinstaller-iphone.spy on the Xbox. After a short delay to ensure it had time to upload, the JavaScript then executes the just uploaded Python file by loading a URL similar to the one below in same iframe:
– http://192.168.0.69/webinstaller-iphone.spy
That executes the Python code that downloads the actual XBMC iPhone Remote files to the correct directory, cleans up, and finally redirects the page to http://192.168.0.69/iphone/ to display it.
– http://tlrobinson.net/projects/xbmciphone/iphone.rar (the rar file containing XBMC iPhone Remote)
So there it is. It’s nothing too sneaky. Feel free to look at all the files for yourself, decode the Base64 Python code, etc.
### The Problem ###
While this web installer is harmless, it would be trivial to write something more destructive to delete files, steal stored passwords for SMB, FTP, etc.
For the web installer, we simply ask the user for their Xbox’s IP address since we assume the user trusts us, but it wouldn’t be hard to brute force try all the common home LAN IP addresses (commonly 192.168.x.x). Also, while the web installer requires users interaction to initiate the installation, there’s no reason a malicious script couldn’t execute automatically.
Fortunately, XBMC provides password protection for the web server. Unfortunately, it’s not enable by default, and most people don’t bother to enable it.
### The (Partial) Solution ###
The solution is simple: enable password protection on the XBMC web server. In the Network settings menu, under Servers, there’s an option for a password.
There is one major problem with this: once you log into web server, the browser remembers that you have logged in for the remainder of the time it is open. This is convenient, as it would be very annoying to have to enter your username and password every time you issue a command to the, but could potentially be taken advantage of if you happen to log in prior to visiting a malicious page.
To test this (with the harmless web install example), enable password protection, then log into your Xbox’s web interface by visiting http://xbox/ where “xbox” is replaced with the actual Xbox IP address. Then use the [web installer](http://tlrobinson.net/projects/xbmc/) to perform the installation. It won’t ask for your password.
Additionally, you can change the web server port or use an obscure IP address for your Xbox. Although this only amounts to security through obscurity, it would likely be enough, bar some really determined hacker with something like [Jitko](http://ha.ckers.org/blog/20070402/jikto-leaked/).
### Conclusion ###
While it’s pretty unlikely that anyone cares enough about your Xbox to hack it, it’s a definite possibility, and would be nearly trivial with all the dangerous (yet useful) commands the HTTP-API gives us. In addition to being a neat and easy way to install a cool app on your Xbox, the web installer serves as a harmless proof of concept.
Thanks to LiquidIce for providing the original web installer code and idea.
