The Tales of N4nj0

Wowza Streaming Engine - Multiple Vulnerabilities

TL;DR

I have found two security issues on Wowza Streaming Engine <= 4.8.11+5:

1 - Cross-Site Request Forgery (CSRF) - CWE-352: A remote attacker is able to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request.
2 - Uncontrolled Resource Consumption - CWE-400: A remote attacker is able to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management.

Product Information

Wowza Streaming Engine (known as Wowza Media Server) is a unified streaming media server software developed by Wowza Media Systems based in Colorado, in the United States of America and used by many US government entities such as NASA, US Air force, Boeing, New York Police Department and many other clients around the world.

Vulnerability Details

1 - Cross-Site Request Forgery (CSRF) - CWE-352

  • Summary: A remote attacker is able to delete a user without the victim’s knowledge, by enticing an authenticated admin user to visit an attacker’s web page. The application does not implement a CSRF token for the GET request. An attacker can craft an HTML page with a forged request on /enginemanager/server/user/delete.htm URL and send it to the victim.
  • Prerequisites: None.
  • CVE and CVSS Score: CVE-2021-35491 | 8.1 (High)

Step-by-step instructions and PoC

An authenticated user that visits a crafted HTML page with a forged request can delete a user on Wowza Streaming Engine on behalf of an administrator.

Affected Endpoints

Below are the evidences with the vulnerability details and the payloads used.

First, create a new user from Server -> Users -> Add User.

CSRF - User creation

Then, Copy the following HTML to a file served on another machine, in this case a local Kali Linux, in the file: /var/www/html/csrf-delete-user.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://wse.local:8088/enginemanager/server/user/delete.htm">
      <input type="hidden" name="userName" value="pippo" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Enable the local web server on the attacker machine:

sudo /etc/init.d/apache2 start

From an authenticated browser session to Wowza Streaming Engine with administrative privileges, open a new tab and go to the page http://127.0.0.1/csrf-delete-user.html.

CSRF - PoC HTML page

Select Submit request, to force the administrator to delete the selected user.
The request will be sent to the web application, and the user will be deleted:

CSRF - User deleted

It was also found that the wowzaSecurityToken HTTP parameter is not present in this GET request. In this case, the application accepts the request and processes it every time.
This is not true in the case of user creation, where that parameter is present and correctly validated.

Security Impact

By exploiting this issue, a remote attacker is able to delete every user on Wowza Streaming Engine on behalf of a regular platform administrator.

2 - Uncontrolled Resource Consumption - CWE-400

  • Summary: An authenticated user that views Virtual Host Monitoring historical data is able to forge an HTTP request to view a non-existing virtual host. Each time a new virtual host is requested, a 280 KB file is created on the filesystem. By randomly choosing different virtual host names, a malicious attacker is able to exhaust filesystem resources, resulting in a denial of service (DoS) condition on the affected application.
  • Prerequisites: Valid user session with the privileges to view Virtual Host Monitoring on Wowza Streaming Engine web interface.
  • CVE and CVSS Score: CVE-2021-35492 | 6.5 (Medium)

Step-by-step instructions and PoC

A remote user, authenticated to the Wowza Streaming Engine web interface, through Virtual Host Monitoring section, could exhaust filesystem resources, resulting in a denial of service (DoS) condition on an affected application. This vulnerability is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability by requesting random virtual host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. Manual intervention is required to free filesystem resources and return the application to an operational state.

Affected Endpoints

Below are the evidences with the vulnerability details and the payloads used.

To exploit the vulnerability, intercept the browser session with a proxy like Burp Suite.
Then, go to the Virtual Host Monitoring section:

DoS - Virtual Host Monitoring - Web Interface

An HTTP request will be automatically performed to view the historical data of the default virtual host.
The request on Burp Suite will be like the next screenshot.

DoS - Regular HTTP request

Every time virtual host monitoring data is requested, a new file is created or appended on the filesystem.
By default, this is the starting condition on the folder /usr/local/WowzaStreamingEngine-4.8.11+5/stats/:

DoS - Filesystem on normal condition

The attack can be performed using Burp Repeater, using the same request captured with the proxy, changing only the vhost parameter value. The response will be HTTP 200 OK:

DoS - New virtual host HTTP request

Alternatively, the same can be achieved with the following payload:

GET /enginemanager/server/vhost/historical.jsdata?vhost=_defaultVHost_pippo_&periodStart=2021-06-03T13%3A47%3A44%2B02%3A00&periodEnd=2021-06-03T14%3A47%3A44%2B02%3A00&_=1622724285834 HTTP/1.1
Host: wse.local:8088
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://wse.local:8088/enginemanager/Home.htm
Cookie: JSESSIONID=E1EC2C1050D74EB0E4DA9474789E8F5E; lastMangerHost=http%3A//127.0.0.1%3A8087; showRightRail=true; DoNotShowFTU=false; lastTab=Basic

On the filesystem side, a new file of 280 KB will be created, as depicted by the following screenshot:

DoS - New virtual host file on the filesystem

To massively exploit this condition, multiple requests with different vhost values have to be sent.
To send those requests reliably, the browser session has to be left active.
Session timeout can be prevented by installing a browser plugin like Tab Reloader and configure it to refresh the tab every 1 minute, like the following example:

DoS - Session timeout prevention - Tab Reloader

Then it is possible to create a custom script to randomize the vhost parameter to a new value to be sent every time.
I have released a Denial of Service tool on my GitHub repo.

./dos-exploit-wse.py

When executing such tool, it is possible to exhaust the filesystem by creating 5.5 GB of files every 30 minutes.
The effect can be summarized on the following screenshot, which depicts multiple files created on the filesystem and the difference of the stats directory size after 30 minutes of the tool execution:

DoS - DoS exploit effect

Security Impact

An attacker could exploit this vulnerability to exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. Manual intervention is required to free filesystem resources and return the device to an operational state.

Timeline

  • 08/06/2020: First disclosure to Wowza via info@wowza.com.
  • 20/07/2020: Wowza Streaming Engine™ 4.8.14+9 build 20210719152831 is released. See the Release Notes.
  • 05/10/2021: Published CVEs on MITRE.
  • 08/10/2021: NVD scored CVE-2021-35491 as 8.1 (High), CVE-2021-35492 as 6.5 (Medium).