Zero Science Lab » Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability

Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability

Title: Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
Advisory ID: ZSL-2017-5403
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 30.04.2017

Summary

Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.

Description

The vulnerability was confirmed on tested platforms depending on the version. Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not properly verified before being used to load resources. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

Vendor

Emby LLC - https://www.emby.media

Affected Version

3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3

Vendor Status

[22.12.2016] Vulnerability discovered.
[25.04.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.

PoC

emby_fd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://blogs.securiteam.com/index.php/archives/3098
[2] https://www.exploit-db.com/exploits/41948/
[3] https://cxsecurity.com/issue/WLB-2017040203
[4] https://packetstormsecurity.com/files/142357
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/125534

Changelog

[30.04.2017] - Initial release
[02.05.2017] - Added reference [2], [3] and [4]
[03.05.2017] - Added reference [5]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk