OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Remote DoS attack in RealServer: USSR-2000043
From: David Cotter (dcotterREAL.COM)
Date: Thu Jun 01 2000 - 23:11:44 CDT


This afternoon a BugTraq/USSR Advisory notice was released announcing that a
Denial of Service attack was found in the RealServer 7. We have found and
fixed the problem. This particular exploit utilizes a bug in the URL parsing
for the ViewSource feature. View Source allows source content and media file
information on enabled RealServers to be displayed in a Web browser. The
server's auto-restart feature will successfully determine that a problem has
occurred and will restart the server in approximately120 seconds.

By taking either of the following steps, RealServer will no longer be
susceptible:

1. You can "turn off" view source via the Admin System by taking the following
steps:

a) In RealSystem Administrator, click View Source, then click Source Access
b) In the Master Settings area, select "Disable View Source"

Or manually add the following view source section to your configuration file:

<!-- V I E W S O U R C E -->
<List Name="ViewSourceConfiguration">
                <Var ViewSourceLongName="View Source Tag FileSystem"/>
                <Var AllowViewSource="0"/>
</List>

NOTE: Using the Admin System will NOT require a restart of RealServer for
setting to take affect

2. Remove vsrcplin.so.6.0 or vsrc3260.dll from the Plugins directory of the
server to disable viewsource.
3. Remove <Var Path_4="/viewsource"/> from the HTTPDeliverable section of the
config file to disable viewsource.

All of these steps have no effect on the servers ability to stream all existing
on-demand and live content.

We have not yet received reports of anyone actually being attacked with this
exploit; however, we will be making a RealServer patch available that will
defeat this specific attack within the next 24 hours.

We appreciate the efforts that Underground Security Systems Research Labs (USSR
Labs) went through to contact us regarding this. Unfortunately, an internal
process broke down and as a consequence we failed to respond to the original
notification. We have subsequently updated our processes.

------------------------------------------------------------------------
Dave Cotter
Program Manager, RealNetworks, Inc.
Ph: 1 206 674 2491
Pgr: 206-975-5640