Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29309
HistoryMay 04, 2013 - 12:00 a.m.

WowzaMediaServer SecureToken bypass (and worse)

2013-05-0400:00:00
vulners.com
68

Product: Wowza Media Server
URL: http://www.wowza.com/
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server

Issue:

By default all installations of WMS use four modules in their
application's config file: base, properties, logging, flvplayback.

I've found out that the `properties` module allows unauthenticated
attacker to get/set various properties (Client, MediaStream,
ApplicationInstance, and Application).

Since ApplicationInstance properties are commonly used to store sensitive
data (for instance `secureTokenSharedSecret` property used to secure
origin-edge and/or client-origin RTMP connections, backend credentials,
etc) this poses non-trivial risk.

Fetching the abovementioned `secureTokenSharedSecret` property from
the streaming server allows attacker to easily employ rtmpdump (and
the like) to dump VOD files and/or in extreme cases re-stream directly
from origin.

As a demo I've implemented straightforward patch to JWPlayer (popular
Flash player) that bypasses SecureToken protection on the fly. This
demo is available in a long-winded blog post at my company's website:

http://tinyurl.com/wontyoupleasethinkoftheusers

As for the `logging` module, this can be used to fill logfile with
nonsensical log entries (and worse).

Workaround:

Disable both `properties` and `logging` modules unless you absolutely
need them (99% of the people running WMS probably don't) or wait for
vendor fix.

Timeline:

  • 2013-04-06 Wowza Media Services contacted about this issue
  • 2013-04-08 Wowza rep states that this is a non-issue and accuses me of
    scaremongering
  • 2013-04-19 After subsequent rounds of communication, Wowza rep threatens
    to "reevaluate" my independent consultant status if this info disclosed
  • 2013-04-27 Contacting Wowza rep with non-public preview of this post
    including the JWPlayer demo (last shot at responsible disclosure)
  • 2013-04-28 Wowza rep responds with more indirect threats, info that this
    will be resolved sometime in the future and a plea "won't you please think
    of the users"
  • 2013-04-30 Public release due to vendor's non-cooperation

M.
– Michal J. <wejn(at)box.cz> "I honestly think it is better to be a failure at something you love than to be a success at something you hate…" – George Burns