Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-35492 PoC — Wowza Media Systems Wowza Streaming Engine 资源管理错误漏洞

Source
https://github.com/N4nj0/CVE-2021-35492
Associated Vulnerability
Title:Wowza Media Systems Wowza Streaming Engine 资源管理错误漏洞 (CVE-2021-35492)
Description:Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)
Description
Denial of Service tool for Wowza Streaming Engine <= 4.8.11+5 - Uncontrolled Resource Consumption (CVE-2021-35492)
Readme
## Exploit Information

**Exploit Title:** Wowza Streaming Engine 4.8.11+5 - Denial of Service  
**CVE:** [CVE-2021-35492](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35492)  
**Date:** 2021-10-06  
**Exploit Author:** N4nj0  
**Software Link:** [https://www.wowza.com/products/streaming-engine](https://www.wowza.com/products/streaming-engine)  
**Version:** 4.8.11+5  
**Tested on:** Wowza Streaming Engine <= 4.8.11+5  
**Vulnerability Advisory:** [https://n4nj0.github.io/advisories/wowza-streaming-engine-i/](https://n4nj0.github.io/advisories/wowza-streaming-engine-i/)  

TWowza Streaming Engine (known as Wowza Media Server) is a unified streaming media server software developed by Wowza Media Systems based in Colorado, in the United States of America and used by many US government entities such as NASA, US Air force, Boeing, New York Police Department and many other clients around the world.  
I've found a uncontrolled resource consumption which enables a remote attacker to exhaust filesystem resources via the */enginemanager/server/vhost/historical.jsdata* `vhost` parameter. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management.

### Usage
`./dos-exploit-wse.py -u http://wse.local:8088 -s CDA32846E8763F62293AAE42FA72C86B`  
`./dos-exploit-wse.py --url http://wse.local:8088 --session CDA32846E8763F62293AAE42FA72C86B`
File Snapshot

 [4.0K]  /data/pocs/6929d5f7079abed411c80bec28a6fbe73b070df8
├── [3.6K]  dos-exploit-wse.py
├── [1.0K]  LICENSE.md
└── [1.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →