nanoStream app manages to get past publishing security check

[andryan]

I have managed to modify securityPlugin from red5-plugins collection to filter broadcasters based on IP address. However when I tested publishing using nanoStream's publishing app on iOS, I managed to get past the security despite the logs showing it should have failed/been rejected by the server. This does not seem to happen with other RTMP publishing tools I tested.

Environment

[] Operating system and version: Ubuntu Linux 16.04 LTS
[] Java version: openjdk version "11.0.4" 2019-07-16 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.4+11-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.4+11-LTS, mixed mode, sharing)

[] Red5 version: 1.2.2

Expected behavior

It should reject the publishers without any exception thrown in the logs.

Actual behavior

nanoStream manages to publish on Red5 server despite being prohibited. Affects latest Red5 Pro too.

Steps to reproduce

1. Start Red5 with modified securityPlugin
2. Add 127.0.0.1 to list of allowed publisher IP
3. Stream from other IP using nanoStream RTMP publisher
4. The RTMP URL is now live (EDIT: correction) Red5 accepts the connection from a denied publisher and continue to receive stream data although the stream URL remain not accessible by subscribers

Logs

https://pastebin.com/Ey2QguXw

[andryan]

https://pastebin.com/a2KxRLWE

This is the changes I made to /securityplugin/src/main/java/org/red5/server/plugin/security/PublishSecurityHandler.java

[andryan]

Additional note I managed to figure out today:

when the IP is allowed to publish (listed in allowedIP.txt file):

[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:2
2020-05-18 00:55:53,073 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:2
[INFO] [NioProcessor-5] org.red5.server.plugin.security.PublishSecurityHandler - Allowed publisher IP 182.253.250.213
2020-05-18 00:55:53,175 [NioProcessor-5] INFO o.r.s.p.s.PublishSecurityHandler - Allowed publisher IP 182.253.250.213
[INFO] [NioProcessor-5] com.red5pro.override.ProStream - Start
2020-05-18 00:55:53,176 [NioProcessor-5] INFO com.red5pro.override.ProStream - Start
[INFO] [NioProcessor-5] com.red5pro.override.ProStream - Inspection active true
2020-05-18 00:55:53,176 [NioProcessor-5] INFO com.red5pro.override.ProStream - Inspection active true
[INFO] [pool-22-thread-1] com.red5pro.override.ProStream - Notify process listeners
2020-05-18 00:55:53,177 [pool-22-thread-1] INFO com.red5pro.override.ProStream - Notify process listeners
[INFO] [pool-22-thread-1] com.red5pro.override.ProStream - Create Processor clazz:null
2020-05-18 00:55:53,177 [pool-22-thread-1] INFO com.red5pro.override.ProStream - Create Processor clazz:null
[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - Stream Publish Start
2020-05-18 00:55:53,178 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - Stream Publish Start
[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:stream x-event:publish c-ip:182.253.250.213 x-sname:a5f55066-56b5-44ec-9cd6-ac3733993992 x-name:testrtmp
2020-05-18 00:55:53,178 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:stream x-event:publish c-ip:182.253.250.213 x-sname:a5f55066-56b5-44ec-9cd6-ac3733993992 x-name:testrtmp
[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - Stream Broadcast Start
2020-05-18 00:55:53,179 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - Stream Broadcast Start
[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - adding key LiveApp/testrtmp
2020-05-18 00:55:53,179 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - adding key LiveApp/testrtmp
[INFO] [Connection Checker] com.red5pro.server.stream.Red5ProConnManager - Pro connections; Total count: 1, WebRTC ports allocated: 0, edge-proxy: 0, re-streamers: 0, sm-pulses:0
2020-05-18 00:55:54,577 [Connection Checker] INFO c.r.s.stream.Red5ProConnManager - Pro connections; Total count: 1, WebRTC ports allocated: 0, edge-proxy: 0, re-streamers: 0, sm-pulses:0
[INFO] [NioProcessor-5] com.red5pro.override.ProStream - close: testrtmp
2020-05-18 00:55:59,784 [NioProcessor-5] INFO com.red5pro.override.ProStream - close: testrtmp
[INFO] [NioProcessor-5] com.red5pro.override.ProStream - Notify process listeners
2020-05-18 00:55:59,784 [NioProcessor-5] INFO com.red5pro.override.ProStream - Notify process listeners
[INFO] [NioProcessor-5] com.red5pro.override.ProStream - notifyTerminationListeners
2020-05-18 00:55:59,784 [NioProcessor-5] INFO com.red5pro.override.ProStream - notifyTerminationListeners
[INFO] [NioProcessor-5] com.red5pro.override.ProStream - Executor tasks remaining: 1
2020-05-18 00:56:01,785 [NioProcessor-5] INFO com.red5pro.override.ProStream - Executor tasks remaining: 1
[INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:2
2020-05-18 00:56:01,891 [NioProcessor-5] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:2
[INFO] [NioProcessor-5] com.red5pro.server.stream.Red5ProConnManager - Remove GZF8MHAADNM6R
2020-05-18 00:56:01,892 [NioProcessor-5] INFO c.r.s.stream.Red5ProConnManager - Remove GZF8MHAADNM6R

when the IP is denied:
[INFO] [NioProcessor-3] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:1
2020-05-18 00:39:27,979 [NioProcessor-3] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:1
[INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213
2020-05-18 00:39:28,080 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213
[INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213
2020-05-18 00:39:28,141 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213
[INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213
2020-05-18 00:39:28,201 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213
[INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213
2020-05-18 00:39:28,239 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213
[INFO] [NioProcessor-3] org.red5.server.plugin.security.PublishSecurityHandler - Denied publisher IP 182.253.250.213
2020-05-18 00:39:28,309 [NioProcessor-3] INFO o.r.s.p.s.PublishSecurityHandler - Denied publisher IP 182.253.250.213
[INFO] [NioProcessor-3] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:1
2020-05-18 00:39:41,406 [NioProcessor-3] INFO c.i.red5pro.live.Red5ProLive - W3C x-category:session x-event:disconnect c-ip:182.253.250.213 c-client-id:1
[INFO] [NioProcessor-3] com.red5pro.server.stream.Red5ProConnManager - Remove LSMCZPOQSLYMB
2020-05-18 00:39:41,407 [NioProcessor-3] INFO c.r.s.stream.Red5ProConnManager - Remove LSMCZPOQSLYMB

so it looks like if the IP is denied by PublishSecurityHandler, the stream from this offending publisher is never (properly) registered for subscribers to subscribe to although the stream data being accepted by Red5, but this bug could still be used to DoS the service as the RTMP service still listens and accepts the denied publishers' stream data.

[mondain]

If you want to make a patch with a PR, I'd be glad to look it over for merging.