COMMAND

    Real Server

SYSTEMS AFFECTED

    - Real Networks Real Server 7 Linuxc6
    - Real Networks Real Server 7 Solaris 2.6
    - Real Networks Real Server 7 Solaris 2.7
    - Real Networks Real Server 7 Solaris 2.8
    - Real Networks Real Server 7 Windows NT/2000
    - Real Networks Real Server 7 SGI Irix 6.2
    - Real Networks Real Server 7 SGI Irix 6.5
    - Real Networks Real Server 7 SCO Unixware 7.xx
    - Real Networks Real Server 7 FreeBSD 3.0
    - Real Networks Real Server 7.01 Linuxc6
    - Real Networks Real Server 7.01 Solaris 2.6
    - Real Networks Real Server 7.01 Solaris 2.7
    - Real Networks Real Server 7.01 Solaris 2.8
    - Real Networks Real Server 7.01 Windows NT/2000
    - Real Networks Real Server 7.01 SGI Irix 6.2
    - Real Networks Real Server 7.01 SGI Irix 6.5
    - Real Networks Real Server 7.01 SCO Unixware 7.xx
    - Real Networks Real Server 7.01 FreeBSD 3.0
    - Real Networks Real Server 8.00Beta Solaris7
    - Real Networks Real Server G2 1.0

PROBLEM

    The Ussr Labs team has recently discovered a memory problem in the
    RealServer 7 Server (patched  and non-patched).  What  happens is,
    by performing  an attack  sending specially-malformed  information
    to  the  RealServer  HTTP  Port(default  is  8080),  the   process
    containing the services will stop responding.

    The exploit will take down  the RealServer causing it to  stop all
    streaming  media  brodcasts,  making  it  non-functional,  (untill
    Reboot).  With  the RealServer server  running on 'Port'  (default
    being 8080) the syntax to do the D.O.S. attack is:

        http://ServerIp:Port/viewsource/template.html?

    and Real Server will Stop Responding.

    With the RealServer server running on 'Port' (default being  8080)
    the syntax to do the D.O.S. attack is:

        http://ServerIp:Port/viewsource/template.html?

    and Real Server will Stop Responding.

    Radio:  British   Broadcasting  Corporation   1999  (default    in
    RealPlayer 8):

      Radio Url:
        http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732F617564696F686967687761792F617564696F68696768776179325F3238

        RealServer http running on port 80

        RealServer http ip: 206.190.42.7

      Valid Url for Clip Source:
        http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amngaAmkyf59v6zgjqC1t6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh

      Malformed Url for Clip Source:
        http://206.190.42.7/viewsource/template.html?

    This same DoS appears to work on the new realserver 8 BETA.
SOLUTION

    This particular exploit utilizes a bug in the URL parsing for  the
    ViewSource feature.  View  Source allows source content  and media
    file information on enabled RealServers  to be displayed in a  Web
    browser.   The  server's  auto-restart  feature  will successfully
    determine that a problem has occurred and will restart the  server
    in approximately 120 seconds.

    By taking either of the following steps, RealServer will no longer
    be susceptible:

    1. You can "turn off" view  source via the Admin System by  taking
       the following steps:
       a) In RealSystem Administrator,  click View Source, then  click
          Source Access
       b) In the Master Settings area, select "Disable View Source"

       Or  manually  add  the  following  view  source section to your
       configuration file:

        <!-- V I E W  S O U R C E -->
        <List Name="ViewSourceConfiguration">
                        <Var ViewSourceLongName="View Source Tag FileSystem"/>
                        <Var AllowViewSource="0"/>
        </List>

       Using the Admin System will NOT require a restart of RealServer
       for setting to take affect

    2. Remove  vsrcplin.so.6.0  or  vsrc3260.dll  from  the    Plugins
       directory of the server to disable viewsource.

    3. Remove  <Var  Path_4="/viewsource"/>  from the  HTTPDeliverable
       section of the config file to disable viewsource.

    All of these steps have no effect on the servers ability to stream
    all existing on-demand and live content.  It should be noted  that
    the 6.x series does not have the 'viewsource' variable  available,
    so it's undoubtedly unaffected.