'[Full-disclosure] WowzaMediaServer SecureToken bypass (and worse)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] WowzaMediaServer SecureToken bypass (and worse)
From:       "Michal J." <wejn () box ! cz>
Date:       2013-04-30 8:30:47
Message-ID: 20130430083047.GD19735 () box ! cz
[Download RAW message or body]

Product: Wowza Media Server
URL: http://www.wowza.com/
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server

Issue:

By default all installations of WMS use four modules in their
application's config file: base, properties, logging, flvplayback.

I've found out that the `properties` module allows unauthenticated
attacker to get/set various properties (Client, MediaStream,
ApplicationInstance, and Application).

Since ApplicationInstance properties are commonly used to store sensitive
data (for instance `secureTokenSharedSecret` property used to secure
origin-edge and/or client-origin RTMP connections, backend credentials,
etc) this poses non-trivial risk.

Fetching the abovementioned `secureTokenSharedSecret` property from
the streaming server allows attacker to easily employ rtmpdump (and
the like) to dump VOD files and/or in extreme cases re-stream directly
from origin.

As a demo I've implemented straightforward patch to JWPlayer (popular
Flash player) that bypasses SecureToken protection on the fly. This
demo is available in a long-winded blog post at my company's website:

http://tinyurl.com/wontyoupleasethinkoftheusers

As for the `logging` module, this can be used to fill logfile with
nonsensical log entries (and worse).

Workaround:

Disable both `properties` and `logging` modules unless you absolutely
need them (99% of the people running WMS probably don't) or wait for
vendor fix.

Timeline:

* 2013-04-06 Wowza Media Services contacted about this issue
* 2013-04-08 Wowza rep states that this is a non-issue and accuses me of
  scaremongering
* 2013-04-19 After subsequent rounds of communication, Wowza rep threatens
  to "reevaluate" my independent consultant status if this info disclosed
* 2013-04-27 Contacting Wowza rep with non-public preview of this post
  including the JWPlayer demo (last shot at responsible disclosure)
* 2013-04-28 Wowza rep responds with more indirect threats, info that this
  will be resolved sometime in the future and a plea "won't you please think
  of the users"
* 2013-04-30 Public release due to vendor's non-cooperation

M.
-- 
Michal J. <wejn(at)box.cz>
"I honestly think it is better to be a failure at something you love
than to be a success at something you hate..." -- George Burns

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic