Back to list
WowzaMediaServer SecureToken bypass (and worse)
Apr 30 2013 08:38AM
Michal J. (wejn box cz)
Product: Wowza Media Server
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server
By default all installations of WMS use four modules in their
application's config file: base, properties, logging, flvplayback.
I've found out that the `properties` module allows unauthenticated
attacker to get/set various properties (Client, MediaStream,
ApplicationInstance, and Application).
Since ApplicationInstance properties are commonly used to store sensitive
data (for instance `secureTokenSharedSecret` property used to secure
origin-edge and/or client-origin RTMP connections, backend credentials,
etc) this poses non-trivial risk.
Fetching the abovementioned `secureTokenSharedSecret` property from
the streaming server allows attacker to easily employ rtmpdump (and
the like) to dump VOD files and/or in extreme cases re-stream directly
As a demo I've implemented straightforward patch to JWPlayer (popular
Flash player) that bypasses SecureToken protection on the fly. This
demo is available in a long-winded blog post at my company's website:
As for the `logging` module, this can be used to fill logfile with
nonsensical log entries (and worse).
Disable both `properties` and `logging` modules unless you absolutely
need them (99% of the people running WMS probably don't) or wait for
* 2013-04-06 Wowza Media Services contacted about this issue
* 2013-04-08 Wowza rep states that this is a non-issue and accuses me of
* 2013-04-19 After subsequent rounds of communication, Wowza rep threatens
to "reevaluate" my independent consultant status if this info disclosed
* 2013-04-27 Contacting Wowza rep with non-public preview of this post
including the JWPlayer demo (last shot at responsible disclosure)
* 2013-04-28 Wowza rep responds with more indirect threats, info that this
will be resolved sometime in the future and a plea "won't you please think
of the users"
* 2013-04-30 Public release due to vendor's non-cooperation
Michal J. <wejn(at)box.cz>
"I honestly think it is better to be a failure at something you love
than to be a success at something you hate..." -- George Burns
[ reply ]
Copyright 2010, SecurityFocus