fieldfasad.blogg.se - Wowza streaming engine update

Wowza streaming engine update manual#

Then it is possible to create a custom script to randomize the vhost parameter to a new value to be sent every time. Session timeout can be prevented by installing a browser plugin like Tab Reloader and configure it to refresh the tab every 1 minute, like the following example: To send those requests reliably, the browser session has to be left active. To massively exploit this condition, multiple requests with different vhost values have to be sent. On the filesystem side, a new file of 280 KB will be created, as depicted by the following screenshot:

The response will be HTTP 200 OK:Īlternatively, the same can be achieved with the following payload: GET /enginemanager/server/vhost/historical.jsdata?vhost=_defaultVHost_pippo_&periodStart=T13%3A47%3A44%2B02%3A00&periodEnd=T14%3A47%3A44%2B02%3A00&_=1622724285834 HTTP/1.1 The attack can be performed using Burp Repeater, using the same request captured with the proxy, changing only the vhost parameter value. The request on Burp Suite will be like the next screenshot.Įvery time virtual host monitoring data is requested, a new file is created or appended on the filesystem.īy default, this is the starting condition on the folder /usr/local/WowzaStreamingEngine-4.8.11+5/stats/: Then, go to the Virtual Host Monitoring section:Īn HTTP request will be automatically performed to view the historical data of the default virtual host.

To exploit the vulnerability, intercept the browser session with a proxy like Burp Suite.

Wowza streaming engine update manual#

Manual intervention is required to free filesystem resources and return the application to an operational state.īelow are the evidences with the vulnerability details and the payloads used. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. An attacker could exploit this vulnerability by requesting random virtual host historical data and exhausting available filesystem resources. This vulnerability is due to the insufficient management of available filesystem resources.

CVE and CVSS Score: CVE-2021-35492 | 6.5 (Medium)Ī remote user, authenticated to the Wowza Streaming Engine web interface, through Virtual Host Monitoring section, could exhaust filesystem resources, resulting in a denial of service (DoS) condition on an affected application.

Prerequisites: Valid user session with the privileges to view Virtual Host Monitoring on Wowza Streaming Engine web interface.

By randomly choosing different virtual host names, a malicious attacker is able to exhaust filesystem resources, resulting in a denial of service (DoS) condition on the affected application. Each time a new virtual host is requested, a 280 KB file is created on the filesystem.

Summary: An authenticated user that views Virtual Host Monitoring historical data is able to forge an HTTP request to view a non-existing virtual host.

2 - Uncontrolled Resource Consumption - CWE-400 This is not true in the case of user creation, where that parameter is present and correctly validated.īy exploiting this issue, a remote attacker is able to delete every user on Wowza Streaming Engine on behalf of a regular platform administrator. In this case, the application accepts the request and processes it every time. It was also found that the wowzaSecurityToken HTTP parameter is not present in this GET request. The request will be sent to the web application, and the user will be deleted: Select Submit request, to force the administrator to delete the selected user. Then, Copy the following HTML to a file served on another machine, in this case a local Kali Linux, in the file: /var/startįrom an authenticated browser session to Wowza Streaming Engine with administrative privileges, open a new tab and go to the page. I have found two security issues on Wowza Streaming Engine Users -> Add User.