Product: Wowza Media Server
URL: http://www.wowza.com/
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server
Issue:
By default all installations of WMS use four modules in their
application's config file: base, properties, logging, flvplayback.
I've found out that the `properties` module allows unauthenticated
attacker to get/set various properties (Client, MediaStream,
ApplicationInstance, and Application).
Since ApplicationInstance properties are commonly used to store sensitive
data (for instance `secureTokenSharedSecret` property used to secure
origin-edge and/or client-origin RTMP connections, backend credentials,
etc) this poses non-trivial risk.
Fetching the abovementioned `secureTokenSharedSecret` property from
the streaming server allows attacker to easily employ rtmpdump (and
the like) to dump VOD files and/or in extreme cases re-stream directly
from origin.
As a demo I've implemented straightforward patch to JWPlayer (popular
Flash player) that bypasses SecureToken protection on the fly. This
demo is available in a long-winded blog post at my company's website:
http://tinyurl.com/wontyoupleasethinkoftheusers
As for the `logging` module, this can be used to fill logfile with
nonsensical log entries (and worse).
Workaround:
Disable both `properties` and `logging` modules unless you absolutely
need them (99% of the people running WMS probably don't) or wait for
vendor fix.
Timeline:
M.
β Michal J. <wejn(at)box.cz> "I honestly think it is better to be a failure at something you love than to be a success at something you hateβ¦" β George Burns