[15167] in bugtraq
Re: Remote DoS attack in Real Networks Real Server (Strike #2)
daemon@ATHENA.MIT.EDU (Christopher Schulte)
Fri Jun 2 16:32:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000602113134.A28890@schulte.org>
Date: Fri, 2 Jun 2000 11:31:34 -0500
Reply-To: Christopher Schulte <christopher@SCHULTE.ORG>
From: Christopher Schulte <christopher@SCHULTE.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.1.0.20000602112530.00ae8750@pop.schulte.org>
This same DoS appears to work on the new realserver 8 BETA:
Platform sunos-5.7-sparc
Release RealServer 8
Build Version 6.1.3.1058
I'd be safe in guessing all other platforms are affected as well.
--
Christopher Schulte
http://www.schulte.org/
> >Remote DoS attack in Real Networks Real Server (Strike #2)
> >Vulnerability
> >
> >USSR Advisory Code: USSR-2000043
> >
> >Release Date:
> >June 1, 2000
> >
> >Systems Affected:
> >Real Networks Real Server 7 Linuxc6
> >Real Networks Real Server 7 Solaris 2.6
> >Real Networks Real Server 7 Solaris 2.7
> >Real Networks Real Server 7 Solaris 2.8
> >Real Networks Real Server 7 Windows NT/2000
> >Real Networks Real Server 7 SGI Irix 6.2
> >Real Networks Real Server 7 SGI Irix 6.5
> >Real Networks Real Server 7 SCO Unixware 7.xx
> >Real Networks Real Server 7 FreeBSD 3.0
> >Real Networks Real Server 7.01 Linuxc6
> >Real Networks Real Server 7.01 Solaris 2.6
> >Real Networks Real Server 7.01 Solaris 2.7
> >Real Networks Real Server 7.01 Solaris 2.8
> >Real Networks Real Server 7.01 Windows NT/2000
> >Real Networks Real Server 7.01 SGI Irix 6.2
> >Real Networks Real Server 7.01 SGI Irix 6.5
> >Real Networks Real Server 7.01 SCO Unixware 7.xx
> >Real Networks Real Server 7.01 FreeBSD 3.0
> >Real Networks Real Server G2 1.0
> >
> >
> >THE PROBLEM
> >
> >The Ussr Labs team has recently discovered a memory problem in the
> >RealServer 7 Server (patched and non-patched).
> >
> >What happens is, by performing an attack sending specially-malformed
> >information to the RealServer HTTP Port(default is 8080), the process
> >containing the services will stop responding.
> >
> >The Exploit:
> >It will take down the RealServer causing it to stop all streaming
> >media brodcasts, making it non-functional, (untill Reboot)
> >
> >Example:
> >With the RealServer server running on 'Port' (default being 8080) the
> >syntax to do the D.O.S. attack is:
> >
> >http://ServerIp:Port/viewsource/template.html?
> >
> >And Real Server will Stop Responding.
> >
> >Example:
> >With the RealServer server running on 'Port' (default being 8080) the
> >syntax to do the D.O.S. attack is:
> >
> >http://ServerIp:Port/viewsource/template.html?
> >
> >And Real Server will Stop Responding.
> >
> >SPECIAL NOTE: That we take no responsibility for this Example it is
> >for educational purposes only,Dont test against British Broadcasting
> >Corporation 1999 Radio
> >
> >Exaple 2:
> >Radio: British Broadcasting Corporation 1999 (default in RealPlayer
> >8)
> >
> >Radio Url:
> >http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732
> >F617564696F686967687761792F617564696F68696768776179325F3238
> >
> >RealServer http running on port 80
> >
> >RealServer http ip: 206.190.42.7
> >
> >Valid Url for Clip Source:
> >http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj
> >054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amngaAmkyf59v6zgjqC1t
> >6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh
> >
> >Malformed Url for Clip Source:
> >http://206.190.42.7/viewsource/template.html?
> >
> >
> >Vendor Status:
> >Yes! Informed! I sent them more than 4 emails and each time I
> >received JUNK mails in reply, my Incident ID number for this request
> >is 19163930.
> >
> >
> >Vendor Url: http://www.real.com
> >Program Url:
> >http://www.realnetworks.com/products/basicserverplus/index.html?src=ho
> >me
> >Download Url:
> >http://proforma.real.com/rn/servers/eval/index.html?src=home,srvpl_020
> >400,srvntra
> >
> >Related Links:
> >
> >Underground Security Systems Research
> >http://www.ussrback.com
> >
> >Greetings:
> >Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
> >Sub, prizm, b0f,Technotronic and Rfp.
> >
> >Copyright (c) 1999-2000 Underground Security Systems Research.
> >Permission is hereby granted for the redistribution of this alert
> >electronically. It is not to be edited in any way without express
> >consent of Ussr. If you wish to reprint the whole or any part of this
> >alert in any other medium excluding electronic medium, please e-mail
> >labs@ussrback.com for permission.
> >
> >Disclaimer:
> >The information within this paper may change without notice. Use of
> >this information constitutes acceptance for use in an AS IS
> >condition. There are NO warranties with regard to this information.
> >In no event shall the author be liable for any damages whatsoever
> >arising out of or in connection with the use or spread of this
> >information. Any use of this information is at the user's own risk.
> >
> >Feedback:
> >Please send suggestions, updates, and comments to:
> >
> >Underground Security Systems Research
> >mail:labs@ussrback.com
> >http://www.ussrback.com
