[10559] in bugtraq
Re: Real Media Server stores passwords in plain text
daemon@ATHENA.MIT.EDU (@cm3_1aM3r)
Fri May 14 13:59:48 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.05.9905140636420.18964-100000@francine.edoropolis.org>
Date: Fri, 14 May 1999 07:03:08 +0000
Reply-To: "@cm3_1aM3r" <bugtraq@EDOROPOLIS.ORG>
From: "@cm3_1aM3r" <bugtraq@EDOROPOLIS.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9904141044090.1804-100000@alexander.sire.es>
On Wed, 14 Apr 1999, Francisco M. Marzoa Alonso wrote:
> My real media server information:
>
> fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version
> Creating Server Space...
> Starting RealServer 6.0 Core...
> RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.
> Version: 6.0.3.353
> Platform: linux2
>
> The fact is that through installation process it ask for a password that
> itsn't hide neither when you write it, but worse is that this password is
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and
> this file have as default a 644 permision mask.
>
I downloaded the RealServer too, and noticed Real's kind of "open"
filosophy. I ran a search through the bugtraq archives and the post I'm
replying on came up in the search. It seems that exactly one month after
Real was warned by Francisco M. Marzoa Alonso completely nothing has
happened. Like Francisco said; the rmserver.cfg is world-readable and the
subdirectory dbm_b_db and (worse of all, like Adam Laurie already stated),
the dbm_b_db/users directory with user & passwd info is world-readable for
anyone with shell access to the machine running rmserver. There also is a
directory named "Secure", where -and I quote- you can "place secure
contents in" so "RealServer will authenticate the user" :(
So shell access to an rmserver = rmserver admin rights. (^.^)'
I re-reported this to Real. No response yet. Maybe if we all make a lot of
fuzz about it they'll get tired of mail and change their cracker-friendly
ways...
-- the @cm3_1aM3r
(please don't think I'm some sort of script kiddo or something like that.
I like to pun at that scene by choosing such an utterly stupid name ;)
"People who generalize things are stupid!"
