A Plex Drive-By

I recently took at look at the Plex home media server running on Windows 7, in order to assess the security of the web administration interface. By default, Plex listens on port 32400 on localhost. This doesn’t limit the attack surface since they’ve explicitly disabled same origin policy in almost all cases.

plex_2The Plex web service has a few severe web security issues. All the URLs starting with /web, such as /web/index.html, are subject to directory traversal (using dot-dot-backslash). There are SQL injection vulnerabilities in some of the /library URLs. The most serious issue however, is that Plex responds with a CORS header allowing * when a request is sent with an Origin header. To make matters worse, CSRF protection is not provided, and SOP is disabled for Flash and Silverlight (via crossdomain.xml and clientaccesspolicy.xml, respectively).

This means that any web site you visit can issue an XHR to localhost:32400 and obtain access to your media, and possibly your entire filesystem.

Getting Code Execution

While arbitrary file read is interesting, a cross-browser drive-by download is more interesting. As it turns out, Plex uses a Python-based plugin system. The developers have sandboxed the plugins using RestrictedPython, so it’s not enough to load a malicious plugin (unless you have a sandbox bypass).

Something has to bootstrap the plugin environment though, and it turns out this is done in the file bootstrap.py.  It’s located in the following path by default:

%APPDATA%/Plex Media Server/Plug-ins/Framework.bundle/Contents/Resources/Versions/2/Python/bootstrap.py

In order to get unrestricted code execution on Plex via drive-by download, all we need to do is use JavaScript to launch an XHR PUT to /:/prefs, and set the plugin directory for a UNC path. We will need to host the directory and bootstrap.py file on a Samba share on the Internet.

I’ve prepared a Metasploit module to exploit this issue. It has been tested on Windows 7 x64, and relies on Powershell for stage 2 execution. It appears Metasploit has a Python meterpreter loader too, so that’s probably a more portable option. Note that the Metasploit module only works on Kali — it reconfigures Samba to host the share, and makes some assumptions about it’s default configuration and filesystem layout.

You can find the module here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s