Tautulli Remote Code Execution Vulnerability via Arbitrary File Write

A remote code execution vulnerability exists in Tautulli versions through 2.15.3. This issue allows an attacker with administrative access to write arbitrary Python scripts into the application filesystem using the 'pms_image_proxy' endpoint. The vulnerability arises because the 'img_format' parameter is not properly sanitized, enabling path traversal attacks. Once a script is written, it can be executed using Tautulli's 'Script' notification agent, leading to unauthorized code execution on the server.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the application server.

Reproduction

To reproduce this vulnerability, an attacker with administrative access must first change the Plex Media Server (PMS) URL to a server they control. Then, they can send a 'pms_image_proxy' request with a crafted URL in the 'img' parameter and a payload in the 'img_format' parameter that exploits the path traversal vulnerability. Tautulli will attempt to fetch the image from the specified PMS, allowing the attacker to write arbitrary content, such as a Python script, into the application's filesystem. After successfully writing the script, the attacker can use Tautulli's 'Script' notification agent to execute it, achieving remote code execution on the server.

Remediation

Users are advised to upgrade to Tautulli version 2.16.0, which addresses this vulnerability.