Pignuuu 1 Posted September 2, 2022 Share Posted September 2, 2022 Hi, I believe I have found something allowing users with a restricted account to a server to see all content on a server. I don't want to post how to recreate it publicly as then people might take advantage of it so preferably I would want to take this privately. But if not then I am more than happy to post about it here. Since the exploit is still working on the newest version available I am going to assume it has not been discovered before. Link to comment Share on other sites More sharing options...
Solution rbjtech 4222 Posted September 2, 2022 Solution Share Posted September 2, 2022 8 minutes ago, Pignuuu said: Hi, I believe I have found something allowing users with a restricted account to a server to see all content on a server. I don't want to post how to recreate it publicly as then people might take advantage of it so preferably I would want to take this privately. But if not then I am more than happy to post about it here. Since the exploit is still working on the newest version available I am going to assume it has not been discovered before. PM @Luke and @ebr They are the Admins - check their profiles. 1 Link to comment Share on other sites More sharing options...
Pignuuu 1 Posted September 2, 2022 Author Share Posted September 2, 2022 1 hour ago, rbjtech said: PM @Luke and @ebr They are the Admins - check their profiles. Thanks, I sent Luke a dm now. Wasn't aware they had messaging on here, pretty neat. 1 Link to comment Share on other sites More sharing options...
pse 9 Posted September 3, 2022 Share Posted September 3, 2022 This vulnerability might be more grave when combined with this: TL;DR: When exposing Emby to the Internet, any security feature that depends on the distinction between "public" and "local" IP is broken because you can trick Emby into thinking you are "local" by just by setting "X-Forwarded-For: 127.0.0.1". 1 Link to comment Share on other sites More sharing options...
Pignuuu 1 Posted September 3, 2022 Author Share Posted September 3, 2022 8 hours ago, pse said: This vulnerability might be more grave when combined with this: TL;DR: When exposing Emby to the Internet, any security feature that depends on the distinction between "public" and "local" IP is broken because you can trick Emby into thinking you are "local" by just by setting "X-Forwarded-For: 127.0.0.1". Yeah I can see that being a problem. Gaining access to a general user account then using my exploit you have access to everything stored on the server. Link to comment Share on other sites More sharing options...
Gilgamesh_48 942 Posted September 3, 2022 Share Posted September 3, 2022 40 minutes ago, Pignuuu said: Yeah I can see that being a problem. Gaining access to a general user account then using my exploit you have access to everything stored on the server. Yet another good argument against using/allowing remote access. 1 Link to comment Share on other sites More sharing options...
Pignuuu 1 Posted September 3, 2022 Author Share Posted September 3, 2022 Just now, Gilgamesh_48 said: Yet another good argument against using/allowing remote access. Until it is safer I have actually gone as far to add a IP whitelist. So when I am away from home I just connect to my private VPN hosted with OpenVPN. Link to comment Share on other sites More sharing options...
pwhodges 1523 Posted September 3, 2022 Share Posted September 3, 2022 A properly set up reverse proxy should replace such a header from outside the network with a correct one. Paul Link to comment Share on other sites More sharing options...
pse 9 Posted September 4, 2022 Share Posted September 4, 2022 8 hours ago, pwhodges said: A properly set up reverse proxy should replace such a header from outside the network with a correct one. 9 hours ago, Pignuuu said: Until it is safer I have actually gone as far to add a IP whitelist. So when I am away from home I just connect to my private VPN hosted with OpenVPN. I have been doing both to have a minimum of confidence in exposing Emby on the Internet. There is a reverse proxy (nginx) removing the problematic headers (hoping I got all of them), and I whitelisted the proxy in emby. I'm using TLS as well -- what about adding support for verifying a client certificates? All emby needs for this is a way to configure a CA for remote connections. When set, this would require clients to provide a client certificate that is (possibly transitively) signed by the CA. This is another thing that can also be done in the reverse proxy. So there is ways to work around this -- but emby relys on the distinction between local and remote clients. The most important place is the checkbox to allow users "remote connection" to the emby server. Relying on this is dangerous. At least, the documentation should state the for public exposure, emby needs to be secured by a reverse proxy. Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted September 4, 2022 Share Posted September 4, 2022 So has anything been acknowledged by the Admins ? Is this effectively a Zero Day that can compromise any remote system ? If yes, then depending how much is already public knowledge - users should be made aware on the Blog and via any other communication methods asap so the users can turn off remote access while an emergency fix is developed. Security Bugs/Coding errors happen - it how you deal with them that is important to maintain user trust. 1 Link to comment Share on other sites More sharing options...
horstepipe 356 Posted September 4, 2022 Share Posted September 4, 2022 (edited) 13 hours ago, pwhodges said: A properly set up reverse proxy should replace such a header from outside the network with a correct one. Paul Does @pir8radios example config include that? Edited September 4, 2022 by horstepipe Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted September 4, 2022 Share Posted September 4, 2022 1 hour ago, horstepipe said: Does @pir8radios example config include that? Another way to look at this is an RP/WAF should not passthrough the client header - it should always recreate it's own. Link to comment Share on other sites More sharing options...
pse 9 Posted September 4, 2022 Share Posted September 4, 2022 (edited) 9 hours ago, rbjtech said: So has anything been acknowledged by the Admins ? Is this effectively a Zero Day that can compromise any remote system ? I wouldn't go that far, it doesn't always give you unauthenticated remote access to any system, only under the circumstances I mentioned here last year. But I don't think they are uncommon. At the very least, it is a privilege escalation for authenticated users, tricking the server into thinking you're local. Worst case, if you can guess a user that is "local only" and doesn't have a password, you're in. The admins seem to rely in parts on "security through obscurity", as there is an option to "Hide user from the login screen on devices that they've never signed into". Still, if you manage to guess a user's name without "allow remote access"... Edited September 4, 2022 by pse 1 Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted September 5, 2022 Share Posted September 5, 2022 14 hours ago, pse said: I wouldn't go that far, it doesn't always give you unauthenticated remote access to any system, only under the circumstances I mentioned here last year. But I don't think they are uncommon. At the very least, it is a privilege escalation for authenticated users, tricking the server into thinking you're local. Worst case, if you can guess a user that is "local only" and doesn't have a password, you're in. The admins seem to rely in parts on "security through obscurity", as there is an option to "Hide user from the login screen on devices that they've never signed into". Still, if you manage to guess a user's name without "allow remote access"... Yep - and this is my concern. A lot of users are going to simply create local accounts with no passwords because they have not enabled remote access for that user. If one of them is Admin, then it's a more serious problem obviously. I'd like to see some comms on this from the Emby Team - with clear instructions on what they are doing about it, and ways to minimise the risk. Password complexity enforcement is of course 'on the list' but in Q3 2022, this is frankly unforgiveable on an internet facing application .... TLS enforcement is of course required to make any of this secure .. but that's another story. Link to comment Share on other sites More sharing options...
Pignuuu 1 Posted September 5, 2022 Author Share Posted September 5, 2022 1 hour ago, rbjtech said: Yep - and this is my concern. A lot of users are going to simply create local accounts with no passwords because they have not enabled remote access for that user. If one of them is Admin, then it's a more serious problem obviously. I'd like to see some comms on this from the Emby Team - with clear instructions on what they are doing about it, and ways to minimise the risk. Password complexity enforcement is of course 'on the list' but in Q3 2022, this is frankly unforgiveable on an internet facing application .... TLS enforcement is of course required to make any of this secure .. but that's another story. To add salt to the wound, using my exploit you would be able to download everything on the server even if you don't have permissions to view those files. Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted September 5, 2022 Share Posted September 5, 2022 Have the Admins responded to your initial report ? Link to comment Share on other sites More sharing options...
Pignuuu 1 Posted September 5, 2022 Author Share Posted September 5, 2022 12 minutes ago, rbjtech said: Have the Admins responded to your initial report ? Only response I have gotten is him reacting to this post. https://emby.media/community/index.php?/topic/111836-where-do-i-report-a-security-vulnerability/&do=findComment&comment=1178192 Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted September 5, 2022 Share Posted September 5, 2022 ok - entirely your call of course, but with the ethics of responsible disclosure (which you appear to have followed) - I would give them a reasonable amount of time to investigate and respond. After which, posting to the public emby forum that there is a exploit available and users should do X to mitigate it - but NOT posting specific details would personally be my next move. Uploading the exploit and how to use it is obviously not where we want this to go ... @Luke @ebr 1 Link to comment Share on other sites More sharing options...
Luke 37009 Posted September 5, 2022 Share Posted September 5, 2022 Hi, yes we're looking into it. Thanks. 1 Link to comment Share on other sites More sharing options...
softworkz 3326 Posted September 6, 2022 Share Posted September 6, 2022 Truth is that Emby is not an overly secure product. The only reason why there aren't more exploits is that the count of public Emby servers is too small to be a really attractive target for attacking. Once there is an exploit, an attacker still needs to find Emby servers to target. For that reason, I have the following #1 Advice: Never use ports 8096, 8920 for public Emby Servers. Use 80 and 443 instead! Explained here: Link to comment Share on other sites More sharing options...
TeamB 2352 Posted September 6, 2022 Share Posted September 6, 2022 (edited) even if you do use default ports scanners can determine service identity using headers and response data See this DB here: https://www.shodan.io/search?query=emby Also an alternative https://censys.io/ Edited September 6, 2022 by TeamB Link to comment Share on other sites More sharing options...
softworkz 3326 Posted September 6, 2022 Share Posted September 6, 2022 The question is how many of those entries are from within the last 24h. All older dynamic IPs will be of no value. Your point is valid for static IPs, though! Link to comment Share on other sites More sharing options...
unisoft 272 Posted September 6, 2022 Share Posted September 6, 2022 (edited) All my accounts have complex passwords, 15 characters or more. Only accounts I want to allow remote access have it Account names are not obvious like "Admin" or "Administrator" Only one admin Emby account, the rest have limited rights I have reverse proxy with nginx on Synology DSM7 NGINX is set to UK access only TLS 1.2 paid certs are used with 2048 minimum length cipher key I hide all user logins so none are presented on login screens DSM7 itself has 2FA for its main admin account which is renamed The default root password from Synology for DSM7 was changed to a complex one. I do not use default Emby port and only one port is forwarded to NGINX External access is via a sub-domain that is not listed on Google or has other traffic It is patched and up to date Am I affected? Edited September 6, 2022 by unisoft Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted September 6, 2022 Share Posted September 6, 2022 5 hours ago, unisoft said: All my accounts have complex passwords, 15 characters or more. Only accounts I want to allow remote access have it Account names are not obvious like "Admin" or "Administrator" Only one admin Emby account, the rest have limited rights I have reverse proxy with nginx on Synology DSM7 NGINX is set to UK access only TLS 1.2 paid certs are used with 2048 minimum length cipher key I hide all user logins so none are presented on login screens DSM7 itself has 2FA for its main admin account which is renamed The default root password from Synology for DSM7 was changed to a complex one. I do not use default Emby port and only one port is forwarded to NGINX External access is via a sub-domain that is not listed on Google or has other traffic It is patched and up to date Am I affected? How would you know if you were ? Link to comment Share on other sites More sharing options...
unisoft 272 Posted September 6, 2022 Share Posted September 6, 2022 27 minutes ago, rbjtech said: How would you know if you were ? well that's my question I've done what I can this end as a web server doing the normal things. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now