I recently took at look at the Plex home media server running on Windows 7, in order to assess the security of the web administration interface. By default, Plex listens on port 32400 on localhost. This doesn’t limit the attack surface since they’ve explicitly disabled same origin policy in almost all cases.
The Plex web service has a few severe web security issues. All the URLs starting with /web, such as /web/index.html, are subject to directory traversal (using dot-dot-backslash). There are SQL injection vulnerabilities in some of the /library URLs. The most serious issue however, is that Plex responds with a CORS header allowing * when a request is sent with an Origin header. To make matters worse, CSRF protection is not provided, and SOP is disabled for Flash and Silverlight (via crossdomain.xml and clientaccesspolicy.xml, respectively).
This means that any web site you visit can issue an XHR to localhost:32400 and obtain access to your media, and possibly your entire filesystem.
Getting Code Execution
While arbitrary file read is interesting, a cross-browser drive-by download is more interesting. As it turns out, Plex uses a Python-based plugin system. The developers have sandboxed the plugins using RestrictedPython, so it’s not enough to load a malicious plugin (unless you have a sandbox bypass).
Something has to bootstrap the plugin environment though, and it turns out this is done in the file bootstrap.py. It’s located in the following path by default:
%APPDATA%/Plex Media Server/Plug-ins/Framework.bundle/Contents/Resources/Versions/2/Python/bootstrap.py
I’ve prepared a Metasploit module to exploit this issue. It has been tested on Windows 7 x64, and relies on Powershell for stage 2 execution. It appears Metasploit has a Python meterpreter loader too, so that’s probably a more portable option. Note that the Metasploit module only works on Kali — it reconfigures Samba to host the share, and makes some assumptions about it’s default configuration and filesystem layout.
You can find the module here.