CVE-2016-20033: Wowza Streaming Engine Privilege Escalation

CVE-2016-20033 Overview

CVE-2016-20033 is a local privilege escalation vulnerability affecting Wowza Streaming Engine 4.5.0. The vulnerability exists due to improper file permissions that grant full access to the Everyone group, allowing authenticated users to replace executable files and escalate privileges to LocalSystem. Attackers can exploit this flaw by replacing the nssm_x64.exe binary in the manager and engine service directories with malicious executables, which then execute with elevated privileges when the services restart.

Critical Impact

Authenticated local users can achieve complete system compromise by escalating to LocalSystem privileges through executable replacement, potentially leading to full control over the affected streaming server.

Affected Products

• Wowza Streaming Engine 4.5.0
• Windows-based Wowza Streaming Engine installations with default file permissions
• Systems running Wowza Manager and Engine services

Discovery Timeline

• 2026-03-16 - CVE-2016-20033 published to NVD
• 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2016-20033

Vulnerability Analysis

This vulnerability stems from insecure file permissions configured during Wowza Streaming Engine installation. The installation process sets overly permissive access controls on service-related directories, granting the Everyone group full control over critical executable files. This permission misconfiguration violates the principle of least privilege and creates a direct path for privilege escalation.

The nssm_x64.exe (Non-Sucking Service Manager) binary is used by Wowza to manage Windows services. Because this executable runs with LocalSystem privileges when the service starts, replacing it with a malicious binary allows an attacker to execute arbitrary code with the highest system privileges. The attack requires only local authenticated access, making it exploitable by any user with a valid account on the system.

Root Cause

The root cause is CWE-639: Authorization Bypass Through User-Controlled Key, combined with insecure default file permissions. During installation, Wowza Streaming Engine sets directory permissions that grant the Everyone group full access to service binaries. This allows any authenticated user to modify or replace critical executables that run with elevated privileges.

Attack Vector

The attack is executed locally by an authenticated user. The attacker identifies the Wowza Streaming Engine service directories containing the nssm_x64.exe binary, typically located in the manager and engine service paths. Due to the permissive file permissions, the attacker can replace this legitimate binary with a malicious executable. When the Wowza services are restarted (either manually, through a system reboot, or by other means), the malicious binary executes with LocalSystem privileges, granting the attacker full control over the system.

The vulnerability requires local access and valid user credentials but does not require administrative privileges to exploit. This makes it particularly dangerous in shared hosting environments or systems where multiple users have access.

Detection Methods for CVE-2016-20033

Indicators of Compromise

• Unexpected modifications to nssm_x64.exe files in Wowza installation directories
• Changes to file hashes of service-related executables in Wowza Streaming Engine paths
• Unusual processes spawning from Wowza service directories with LocalSystem privileges
• Audit logs showing file replacement events on critical Wowza binaries

Detection Strategies

• Implement file integrity monitoring (FIM) on Wowza Streaming Engine installation directories, particularly targeting nssm_x64.exe
• Monitor Windows Security Event logs for Event ID 4663 (object access) on Wowza service directories
• Deploy endpoint detection rules to alert on executable modifications in service installation paths
• Configure SIEM correlation rules to detect privilege escalation patterns following file modifications

Monitoring Recommendations

• Enable Windows auditing for file system changes on Wowza installation directories
• Establish baseline hashes for all Wowza service executables and monitor for deviations
• Review service restart events in conjunction with recent file modifications to the service directories
• Monitor for new processes running as LocalSystem that originate from recently modified executables

How to Mitigate CVE-2016-20033

Immediate Actions Required

• Review and restrict file permissions on Wowza Streaming Engine installation directories to remove Everyone group access
• Set appropriate ACLs to limit write access to Administrators only for service-related executables
• Verify the integrity of nssm_x64.exe and other service binaries by comparing against known-good hashes
• Audit all systems running Wowza Streaming Engine 4.5.0 for signs of exploitation

Patch Information

Upgrade to a newer version of Wowza Streaming Engine that addresses this permission vulnerability. Review the VulnCheck Security Advisory and ZeroScience Vulnerability Report ZSL-2016-5339 for additional remediation guidance. Contact Wowza support for the latest security patches and recommended upgrade paths.

Workarounds

• Manually correct file permissions using icacls to remove Everyone group access from service directories
• Implement application whitelisting to prevent unauthorized executables from running
• Restrict local user access to the server running Wowza Streaming Engine
• Deploy endpoint protection solutions to detect and block malicious binary replacements

# Configuration example - Restrict permissions on Wowza service directories
icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\windows" /remove Everyone
icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin" /remove Everyone
icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\windows\nssm_x64.exe" /inheritance:r /grant:r Administrators:F /grant:r SYSTEM:F