[24547] in bugtraq
Re: RealPlayer bug
daemon@ATHENA.MIT.EDU (obscure)
Tue Mar 5 16:53:15 2002
Message-ID: <004501c1c3ca$17a676c0$209838d4@obs1>
From: "obscure" <obscure@eyeonsecurity.net>
To: "Michiel Heijkoop" <myself@mhil.net>, <bugtraq@securityfocus.com>
Date: Mon, 4 Mar 2002 23:15:25 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Granted that it listens to localhost only, it could still be a huge problem
depending on the configuration of the server. For example the server could
running a proxy and at the same time have realplayer on.
Therefore an attacker would connect to the Proxy and bounce from there to
http://127.0.0.1:1275/template.html?src=file://C:/boot.ini
I do not run realplayer at the moment so this is all hypothetical.
------------------------------------
Obscure - http://eyeonsecurity.net
------------------------------------
----- Original Message -----
From: "Michiel Heijkoop" <myself@mhil.net>
To: <bugtraq@securityfocus.com>
Sent: Sunday, March 03, 2002 10:17 PM
Subject: Re: RealPlayer bug
> Hey,
>
> On Sat, Mar 02, 2002 at 09:16:53PM +0300, §ome1 wrote:
> > http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram
> > from now realplay.exe will listen on port 1275 TCP
> As the URL indicates, it's well possible that the webserver only listens
to 127.0.0.1, which wouldn't make it a large security risk, unless its ran
on an NT-machine under an admin-account and accessed by a regular user,
which could then have read-access to files, he/she shouldn't have it to.
Perhaps someone with Realplayer installed can check wether this miniserver
is binding to all interfaces, or just the loopback?
>
