COMMAND
Real Server
SYSTEMS AFFECTED
- Real Networks Real Server 7 Linuxc6
- Real Networks Real Server 7 Solaris 2.6
- Real Networks Real Server 7 Solaris 2.7
- Real Networks Real Server 7 Solaris 2.8
- Real Networks Real Server 7 Windows NT/2000
- Real Networks Real Server 7 SGI Irix 6.2
- Real Networks Real Server 7 SGI Irix 6.5
- Real Networks Real Server 7 SCO Unixware 7.xx
- Real Networks Real Server 7 FreeBSD 3.0
- Real Networks Real Server 7.01 Linuxc6
- Real Networks Real Server 7.01 Solaris 2.6
- Real Networks Real Server 7.01 Solaris 2.7
- Real Networks Real Server 7.01 Solaris 2.8
- Real Networks Real Server 7.01 Windows NT/2000
- Real Networks Real Server 7.01 SGI Irix 6.2
- Real Networks Real Server 7.01 SGI Irix 6.5
- Real Networks Real Server 7.01 SCO Unixware 7.xx
- Real Networks Real Server 7.01 FreeBSD 3.0
- Real Networks Real Server 8.00Beta Solaris7
- Real Networks Real Server G2 1.0
PROBLEM
The Ussr Labs team has recently discovered a memory problem in the
RealServer 7 Server (patched and non-patched). What happens is,
by performing an attack sending specially-malformed information
to the RealServer HTTP Port(default is 8080), the process
containing the services will stop responding.
The exploit will take down the RealServer causing it to stop all
streaming media brodcasts, making it non-functional, (untill
Reboot). With the RealServer server running on 'Port' (default
being 8080) the syntax to do the D.O.S. attack is:
http://ServerIp:Port/viewsource/template.html?
and Real Server will Stop Responding.
With the RealServer server running on 'Port' (default being 8080)
the syntax to do the D.O.S. attack is:
http://ServerIp:Port/viewsource/template.html?
and Real Server will Stop Responding.
Radio: British Broadcasting Corporation 1999 (default in
RealPlayer 8):
Radio Url:
http://playlist.broadcast.com/makeplaylist.asp?id=7708&encad=2F6164732F617564696F686967687761792F617564696F68696768776179325F3238
RealServer http running on port 80
RealServer http ip: 206.190.42.7
Valid Url for Clip Source:
http://206.190.42.7/viewsource/template.html?nuyhtgs0pdz6iqm557a6i9bgj054ngdnbfzgro7zxfAjq357lnwEC6ne8s5ge5hi4ejqC1t6x1amngaAmkyf59v6zgjqC1t6x1amngoAmkyf1AvuEfhe640hBh60EeADAo2097qglh
Malformed Url for Clip Source:
http://206.190.42.7/viewsource/template.html?
This same DoS appears to work on the new realserver 8 BETA.
SOLUTION
This particular exploit utilizes a bug in the URL parsing for the
ViewSource feature. View Source allows source content and media
file information on enabled RealServers to be displayed in a Web
browser. The server's auto-restart feature will successfully
determine that a problem has occurred and will restart the server
in approximately 120 seconds.
By taking either of the following steps, RealServer will no longer
be susceptible:
1. You can "turn off" view source via the Admin System by taking
the following steps:
a) In RealSystem Administrator, click View Source, then click
Source Access
b) In the Master Settings area, select "Disable View Source"
Or manually add the following view source section to your
configuration file:
<!-- V I E W S O U R C E -->
<List Name="ViewSourceConfiguration">
<Var ViewSourceLongName="View Source Tag FileSystem"/>
<Var AllowViewSource="0"/>
</List>
Using the Admin System will NOT require a restart of RealServer
for setting to take affect
2. Remove vsrcplin.so.6.0 or vsrc3260.dll from the Plugins
directory of the server to disable viewsource.
3. Remove <Var Path_4="/viewsource"/> from the HTTPDeliverable
section of the config file to disable viewsource.
All of these steps have no effect on the servers ability to stream
all existing on-demand and live content. It should be noted that
the 6.x series does not have the 'viewsource' variable available,
so it's undoubtedly unaffected.