← Advisories

Wowza Streaming Engine 4.5.0 Remote Privilege Escalation Exploit

High
Advisory ID
ZSL-2016-5340
Release Date
19 July 2016
Vendor
Wowza Media Systems, LLC. - https://www.wowza.com
Affected Version
4.5.0 (build 18676)
CVE
CVE-2016-20034
Tested On
Winstone Servlet Engine v1.0.5, Servlet/2.5 (Winstone/1.0.5)
Summary

Wowza Streaming Engine is robust, customizable, and scalable server software that powers reliable video and audio streaming to any device. Learn the benefits of using Wowza Streaming Engine to deliver high-quality live and on-demand video content to any device.

Description

The application suffers from a privilege escalation issue. Normal user (read-only) can elevate his/her privileges by sending a POST request seting the parameter 'accessLevel' to 'admin' gaining admin rights and/or setting the parameter 'advUser' to 'true' and '_advUser' to 'on' gaining advanced admin rights.

Proof of Concept
wowza_rprivs.txtTXT
Disclosure Timeline
03.07.2016Vulnerability discovered.
09.07.2016Contact with the vendor.
18.07.2016No response from the vendor.
19.07.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40133/
[2]https://packetstormsecurity.com/files/137972
[3]https://cxsecurity.com/issue/WLB-2016070156
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/115124
[5]https://www.cve.org/CVERecord?id=CVE-2016-20034
Changelog
19.07.2016Initial release
22.07.2016Added reference [1], [2] and [3]
26.07.2016Added reference [4]
24.03.2026Added reference [5]