Impact Analysis

This vulnerability can have serious impacts as it allows a user with only read-only access to gain full administrative control over the Wowza Streaming Engine server.

With administrative privileges, an attacker can modify configurations, access sensitive data, manage users, and potentially disrupt streaming services or compromise the integrity and availability of the system.

Such unauthorized access can lead to data breaches, service interruptions, and further exploitation of the system.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2016-20034 is a remote privilege escalation vulnerability in Wowza Streaming Engine version 4.5.0. It allows an authenticated user with read-only access to escalate their privileges to administrator by sending specially crafted POST requests to the user edit endpoint.'}, {'type': 'paragraph', 'content': "Specifically, by setting the POST parameter 'accessLevel' to 'admin' and the parameters 'advUser' to 'true' and '_advUser' to 'on', an attacker can gain administrative or advanced administrative rights, which are normally restricted to expert users."}, {'type': 'paragraph', 'content': 'This vulnerability exploits improper handling of POST parameters in the user management functionality, enabling unauthorized privilege escalation remotely.'}] [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests sent to the user edit endpoint of the Wowza Streaming Engine server, specifically requests that include the parameters `accessLevel` set to `admin` and `advUser` set to `true` and `_advUser` set to `on`.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze HTTP POST traffic targeting the `/enginemanager/server/user/edit.htm` endpoint and look for these specific parameter values that indicate an attempt to escalate privileges.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity could include using network traffic analysis tools like tcpdump or Wireshark with filters for POST requests to the user edit endpoint, or using web server logs to search for POST requests containing the suspicious parameters.'}, {'type': 'list_item', 'content': "Using tcpdump to capture POST requests to the user edit endpoint: tcpdump -A -s 0 'tcp port 8088 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /enginemanager/server/user/edit.htm'"}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious POST parameters: grep -i 'accessLevel=admin' /path/to/wowza/logs/*"}, {'type': 'list_item', 'content': "Searching for advUser parameters in logs: grep -i 'advUser=true' /path/to/wowza/logs/*"}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Wowza Streaming Engine user edit endpoint to trusted administrators only and ensuring that read-only users cannot send crafted POST requests with privilege escalation parameters.

It is also recommended to apply any available patches or updates from Wowza that address this vulnerability.

If patches are not available, consider implementing network-level controls such as firewall rules to block unauthorized access to the management interface and monitoring for suspicious POST requests as described.

Additionally, review and tighten user permissions to ensure that users with read-only access cannot perform actions beyond their intended scope.

Useful 0 Not Useful 0