lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20130430083803.GH19735@box.cz>
Date: Tue, 30 Apr 2013 10:38:03 +0200
From: "Michal J." <wejn@....cz>
To: bugtraq@...urityfocus.com
Subject: WowzaMediaServer SecureToken bypass (and worse)

Product: Wowza Media Server
URL: http://www.wowza.com/
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server

Issue:

By default all installations of WMS use four modules in their
application's config file: base, properties, logging, flvplayback.

I've found out that the `properties` module allows unauthenticated
attacker to get/set various properties (Client, MediaStream,
ApplicationInstance, and Application).

Since ApplicationInstance properties are commonly used to store sensitive
data (for instance `secureTokenSharedSecret` property used to secure
origin-edge and/or client-origin RTMP connections, backend credentials,
etc) this poses non-trivial risk.

Fetching the abovementioned `secureTokenSharedSecret` property from
the streaming server allows attacker to easily employ rtmpdump (and
the like) to dump VOD files and/or in extreme cases re-stream directly
from origin.

As a demo I've implemented straightforward patch to JWPlayer (popular
Flash player) that bypasses SecureToken protection on the fly. This
demo is available in a long-winded blog post at my company's website:

http://tinyurl.com/wontyoupleasethinkoftheusers

As for the `logging` module, this can be used to fill logfile with
nonsensical log entries (and worse).

Workaround:

Disable both `properties` and `logging` modules unless you absolutely
need them (99% of the people running WMS probably don't) or wait for
vendor fix.

Timeline:

* 2013-04-06 Wowza Media Services contacted about this issue
* 2013-04-08 Wowza rep states that this is a non-issue and accuses me of
  scaremongering
* 2013-04-19 After subsequent rounds of communication, Wowza rep threatens
  to "reevaluate" my independent consultant status if this info disclosed
* 2013-04-27 Contacting Wowza rep with non-public preview of this post
  including the JWPlayer demo (last shot at responsible disclosure)
* 2013-04-28 Wowza rep responds with more indirect threats, info that this
  will be resolved sometime in the future and a plea "won't you please think
  of the users"
* 2013-04-30 Public release due to vendor's non-cooperation

M.
-- 
Michal J. <wejn(at)box.cz>
"I honestly think it is better to be a failure at something you love
than to be a success at something you hate..." -- George Burns

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ