Executive Summary

CVE-2016-20033 is a local privilege escalation vulnerability in Wowza Streaming Engine version 4.5.0. It occurs because executable files, specifically nssm_x64.exe in the manager and engine service directories, have improper file permissions that grant full control to the Everyone group. This allows any authenticated user to replace these executables with malicious binaries.

When the affected services restart, the malicious executable runs with LocalSystem privileges, enabling the attacker to execute code with elevated rights. The vulnerability is further worsened by an unquoted service path issue, which can allow execution of unintended binaries placed in certain directories.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated local user to escalate their privileges to LocalSystem level by replacing legitimate executables with malicious ones. This means an attacker with basic access can gain full control over the system, potentially leading to unauthorized code execution, system compromise, and complete takeover of the affected machine.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the file permissions of the executable files nssm_x64.exe located in the bin and manager\\bin directories of the Wowza Streaming Engine installation. Specifically, you should verify if these files have full control permissions granted to the Everyone group, which is insecure.'}, {'type': 'paragraph', 'content': 'Additionally, you can check for unquoted service paths for the Windows services WowzaStreamingEngine450 and WowzaStreamingEngineManager450, as this is part of the vulnerability.'}, {'type': 'list_item', 'content': 'Use the command `icacls` on Windows to check permissions, for example: `icacls "C:\\Path\\To\\Wowza\\bin\\nssm_x64.exe"` and `icacls "C:\\Path\\To\\Wowza\\manager\\bin\\nssm_x64.exe"`.'}, {'type': 'list_item', 'content': 'Use the command `sc qc WowzaStreamingEngine450` and `sc qc WowzaStreamingEngineManager450` to query the service configuration and check if the binary path is unquoted.'}, {'type': 'paragraph', 'content': 'If the permissions show full control for Everyone or the service paths are unquoted, the system is vulnerable.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include correcting the file permissions on the affected executable files to remove full control from the Everyone group and restrict access to only necessary system accounts.'}, {'type': 'paragraph', 'content': 'Additionally, you should fix the unquoted service path vulnerability by ensuring that the service executable paths are properly quoted in the Windows service configuration.'}, {'type': 'list_item', 'content': 'Use the `icacls` command to remove or restrict permissions, for example: `icacls "C:\\Path\\To\\Wowza\\bin\\nssm_x64.exe" /remove:g Everyone` or set more restrictive permissions.'}, {'type': 'list_item', 'content': 'Use the `sc` command or registry editor to update the service binary path to include quotes, for example: `sc config WowzaStreamingEngine450 binPath= "\\"C:\\Path\\To\\Wowza\\bin\\nssm_x64.exe\\""`.'}, {'type': 'paragraph', 'content': 'Restart the affected services after applying these changes to ensure the fixes take effect.'}] [1, 2, 3]

Useful 0 Not Useful 0