Title: Emby MediaServer 3.2.5 Password Reset Vulnerability
Advisory ID: ZSL-2017-5401
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 30.04.2017

Summary

Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.

Description

The issue can be triggered by an unauthenticated actor within the home network (LAN) only. The attacker doesn't need to specify a valid username to reset the password. He or she can enter a random string, and using the file disclosure issue it's possible to read the PIN needed for resetting. This in turn will disclose all the valid usernames in the emby server and reset all the passwords for all the users with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized access to the emby media server management interface.

Vendor

Emby LLC - https://www.emby.media

Affected Version

3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3

Vendor Status

[22.12.2016] Vulnerability discovered.
[25.04.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.

PoC

emby_auth.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5403.php
[2] https://blogs.securiteam.com/index.php/archives/3098
[3] https://www.exploit-db.com/exploits/41947/
[4] https://cxsecurity.com/issue/WLB-2017040201
[5] https://packetstormsecurity.com/files/142355
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/125535

Changelog

[30.04.2017] - Initial release
[02.05.2017] - Added reference [3], [4] and [5]
[03.05.2017] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk