module
Plex Unpickle Dict Windows RCE
| Disclosed |
|---|
| May 7, 2020 |
Disclosed
May 7, 2020
Description
This module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker
can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable
LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes
an RCE as the user who started Plex.
Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab
the X-Plex-Token header. See info -d for additional details.
If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required
as subsuquent writes will make Dict-1, and not execute.
can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable
LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes
an RCE as the user who started Plex.
Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab
the X-Plex-Token header. See info -d for additional details.
If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required
as subsuquent writes will make Dict-1, and not execute.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.