RealNetworks RealServer G2 buffer overflow.

[dspyrit () BEAVUH ORG (dark spyrit)]

As everyone seems to have the giving spirit at present, here's a little
something from the beavuh crew.

A buffer overflow exists in the web authentication on the
RealServer administrator port. By sending a long user/password pair you
can overflow the buffer and execute arbitrary code.

e.g. -

GET /admin/index.html HTTP/1.0
Connection: Keep-Alive
....
Authorization: Basic <long base64 encoded user/password>

As basic authorization is base64 encoded, this made coding an exploit
extremely annoying - but, of course, could be done.

Example code has been written for the latest (at present) freely available
NT version of RealServer G2 and is available at http://www.beavuh.org.
The exploit will spawn a command prompt on port 6968 and has been tested
extensively.

This was tested with a default installation - if RealServer is
installed in a different directory than the default, the buffer will need
to be adjusted accordingly.
The administrator port is randomly selected at installation, but as you'll
only be testing on your own networks this shouldn't matter :)

We have only checked the NT version of this software for the
vulnerability, and it is unknown whether versions on other platforms are
affected.

Vendors really need to take buffer overflows on the NT platform more
seriously, the fact that you can hide behind a closed source environment
doesn't make you anymore safe.
Take a look at our articles on our website to demonstrate this fact.

dark spyrit
http://www.beavuh.org - bend over and pray.