![]() Accesses the SMB share running at the $smbServer variable. ![]() When Plex parses this, it does two things:ġ. The POC used to prove this vulnerability (POC 1 below) contained the following XML content: This is expected behaviour for SSDP/UPNP.īy hosting a specially crafted XML file at that location, we can force Plex Media Server to do several things. Plex will automatically access the Device Descriptor over HTTP, parsing the XML content. When we do this, we provide the location of an XML file containing more information about our device. We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. This is the first step in finding and adding Universal Plug and Play (UPNP) devices. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. Plex, like many other media servers, will attempt to discover other devices on a local network. Operating Systems affected: Verified Windows 10 and Ubuntu Linux 18.10 (likely all versions) Impact: Information disclosure up to code executionĪffected component: Plex Media Server's SSDP discovery / parsing with libxml2 Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.Įxploitation can be demonstrated using evil-ssdp ().ĭisclosed to Plex security team, pending resolution. Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password. Access arbitrary files from the filesystem with the same permission as the user account running Plex. Unauthenticated attackers on the same LAN can use this vulnerability to: The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Issue: Out-of-Band XXE in Plex Media Server's SSDP Processing
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |