Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
Title: Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
Advisory ID: ZSL-2017-5403
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 30.04.2017
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
[25.04.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
[2] https://www.exploit-db.com/exploits/41948/
[3] https://cxsecurity.com/issue/WLB-2017040203
[4] https://packetstormsecurity.com/files/142357
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/125534
[02.05.2017] - Added reference [2], [3] and [4]
[03.05.2017] - Added reference [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5403
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 30.04.2017
Summary
Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.Description
The vulnerability was confirmed on tested platforms depending on the version. Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not properly verified before being used to load resources. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.Vendor
Emby LLC - https://www.emby.mediaAffected Version
3.2.53.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Tested On
Microsoft Windows 7 Professional SP1 (EN)Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vendor Status
[22.12.2016] Vulnerability discovered.[25.04.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
emby_fd.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://blogs.securiteam.com/index.php/archives/3098[2] https://www.exploit-db.com/exploits/41948/
[3] https://cxsecurity.com/issue/WLB-2017040203
[4] https://packetstormsecurity.com/files/142357
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/125534
Changelog
[30.04.2017] - Initial release[02.05.2017] - Added reference [2], [3] and [4]
[03.05.2017] - Added reference [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk