[15168] in bugtraq
Remote DoS attack in RealServer: USSR-2000043
daemon@ATHENA.MIT.EDU (David Cotter)
Fri Jun 2 16:33:30 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="=====================_133771052==_.ALT"
Message-Id: <4.1.20000601210348.00d6eca0@mail.real.com>
Date: Thu, 1 Jun 2000 21:11:44 -0700
Reply-To: David Cotter <dcotter@REAL.COM>
From: David Cotter <dcotter@REAL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--=====================_133771052==_.ALT
Content-Type: text/plain; charset="us-ascii"
This afternoon a BugTraq/USSR Advisory notice was released announcing that a
Denial of Service attack was found in the RealServer 7. We have found and
fixed the problem. This particular exploit utilizes a bug in the URL parsing
for the ViewSource feature. View Source allows source content and media file
information on enabled RealServers to be displayed in a Web browser. The
server's auto-restart feature will successfully determine that a problem has
occurred and will restart the server in approximately120 seconds.
By taking either of the following steps, RealServer will no longer be
susceptible:
1. You can "turn off" view source via the Admin System by taking the following
steps:
a) In RealSystem Administrator, click View Source, then click Source Access
b) In the Master Settings area, select "Disable View Source"
Or manually add the following view source section to your configuration file:
<!-- V I E W S O U R C E -->
<List Name="ViewSourceConfiguration">
<Var ViewSourceLongName="View Source Tag FileSystem"/>
<Var AllowViewSource="0"/>
</List>
NOTE: Using the Admin System will NOT require a restart of RealServer for
setting to take affect
2. Remove vsrcplin.so.6.0 or vsrc3260.dll from the Plugins directory of the
server to disable viewsource.
3. Remove <Var Path_4="/viewsource"/> from the HTTPDeliverable section of the
config file to disable viewsource.
All of these steps have no effect on the servers ability to stream all existing
on-demand and live content.
We have not yet received reports of anyone actually being attacked with this
exploit; however, we will be making a RealServer patch available that will
defeat this specific attack within the next 24 hours.
We appreciate the efforts that Underground Security Systems Research Labs (USSR
Labs) went through to contact us regarding this. Unfortunately, an internal
process broke down and as a consequence we failed to respond to the original
notification. We have subsequently updated our processes.
------------------------------------------------------------------------
Dave Cotter
Program Manager, RealNetworks, Inc.
Ph: 1 206 674 2491
Pgr: 206-975-5640
--=====================_133771052==_.ALT
Content-Type: text/html; charset="us-ascii"
<html>
This afternoon a BugTraq/USSR Advisory notice was released announcing
that a Denial of Service attack was found in the RealServer 7. We
have found and fixed the problem. This particular exploit
utilizes a bug in the URL parsing for the ViewSource feature. View
Source allows source content and media file information on enabled
RealServers to be displayed in a Web browser. The server's auto-restart
feature will successfully determine that a problem has occurred and will
restart the server in approximately120 seconds.<br>
<br>
By taking either of the following steps, RealServer will no longer be
susceptible:<br>
<br>
1. You can "turn off" view source via the Admin System by
taking the following steps:<br>
<br>
a) In RealSystem Administrator, click View Source, then click Source
Access
<dl>
<dl>
<dd>b)<x-tab> </x-tab>In the Master
Settings area, select "Disable View Source"<br>
<br>
</dl>
</dl>Or manually add the following view source section to your
configuration file:<br>
<br>
<!-- V I E W S O U R C E --><br>
<List Name="ViewSourceConfiguration"><br>
<x-tab> </x-tab><x-tab> </x-tab><Var
ViewSourceLongName="View Source Tag FileSystem"/><br>
<x-tab> </x-tab><x-tab> </x-tab><Var
AllowViewSource="0"/><br>
</List><br>
<br>
<i>NOTE: Using the Admin System will NOT require a restart of RealServer
for setting to take affect<br>
<br>
</i>2. Remove vsrcplin.so.6.0 or vsrc3260.dll from the
Plugins directory of the server to disable viewsource.<br>
3. Remove <Var Path_4="/viewsource"/> from the
HTTPDeliverable section of the config file to disable viewsource.<br>
<br>
All of these steps have no effect on the servers ability to stream all
existing on-demand and live content.<br>
<br>
<font size=4>We have not yet received reports of anyone actually being
attacked with this exploit; however, we will be making a RealServer patch
available that will defeat this specific attack within the next 24
hours. <br>
<br>
We appreciate the efforts that </font>Underground Security Systems
Research<font size=4> Labs (USSR Labs) went through to contact us
regarding this. Unfortunately, an internal process broke down and
as a consequence we failed to respond to the original notification.
We have subsequently updated our processes.<br>
</font><br>
<div>------------------------------------------------------------------------</div>
<div>Dave Cotter</div>
<div>Program Manager, RealNetworks, Inc.</div>
<div>Ph: 1 206 674 2491</div>
<div>Pgr: 206-975-5640</div>
<br>
</html>
--=====================_133771052==_.ALT--
