Show Notes

213 - Jellyfin Exploits and TOCTOU Spellcasting

Two vulnerabilities in Jellyfin, which is a media server fork of Emby. They focused on the REST API in the server, and they noticed that the Authorization header seemed to be implicitly trusted in many endpoints despite the fact it could be attacker-controlled.

Bug #1: Directory traversal in logging endpoint The logging endpoint was one such area that used the Authorization header values carelessly. It would take a clientName and version to create the log file name, but these are ultimately controllable via the header. You can simply directory traverse out and get an almost-arbitrary file write, as contents were controlled entirely via the POST body. Unfortunately, the filename ending in .log presented a problem that they weren’t able to solve.

Bug #2: Stored XSS in devices page The admin panel’s devices panel similarly trusted values from Authorization, and echoed the device ID into the page with no sanitization, yielding stored XSS. Furthermore, inline scripts were allowed by the CSP, so they could eval() in combination with the classic String.fromCharCode() trick to execute code despite not being able to get quotes through the Authorization header.

To get RCE, they used the logging endpoint to create a malicious executable that they could get processed through the media encoder via adding the path to the encoder through the admin access they acquired with the stored XSS. This would also be triggered during the validation phase which would launch the file as a process, meaning the original media encoder wouldn’t be replaced which works to the attacker’s favor.