← Advisories

Wowza Streaming Engine 4.5.0 Local Privilege Escalation

Medium
Advisory ID
ZSL-2016-5339
Release Date
19 July 2016
Vendor
Wowza Media Systems, LLC. - https://www.wowza.com
Affected Version
Wowza Streaming Engine 4.5.0 (build 18676), Wowza Streaming Engine Manager 4.5.0 (build 18676)
CVE
CVE-2016-20033
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Java Version: 1.8.0_77, Java VM Version: 25.77-b03, Java Architecture: 64
Summary

Wowza Streaming Engine is robust, customizable, and scalable server software that powers reliable video and audio streaming to any device. Learn the benefits of using Wowza Streaming Engine to deliver high-quality live and on-demand video content to any device.

Description

Wowza Streaming Engine suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group. In combination with insecure file permissions the application suffers from an unquoted search path issue impacting the services 'WowzaStreamingEngine450' and 'WowzaStreamingEngineManager450' for Windows deployed as part of Wowza Streaming software.

Proof of Concept
wowza_lprivs.txtTXT
Disclosure Timeline
03.07.2016Vulnerability discovered.
09.07.2016Contact with the vendor.
18.07.2016No response from the vendor.
19.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40132/
[2]https://packetstormsecurity.com/files/137971
[3]https://cxsecurity.com/issue/WLB-2016070155
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/115122
[5]https://www.cve.org/CVERecord?id=CVE-2016-20033
Changelog
19.07.2016Initial release
22.07.2016Added reference [1], [2] and [3]
26.07.2016Added reference [4]
24.03.2026Added reference [5]