RealServer G2 Buffer Overflow

RealNetworks RealServer G2 buffer overflow
Reported November 4, 1999 by
Dark Spyrit
VERSIONS EFFECTED
  • RealNetwork RealServer G2

DESCRIPTION

A buffer overflow exists in the web authentication on the RealServer administrator port. By sending a long user/password pair you can overflow the buffer and execute arbitrary code.

DEMONSTRATION

Connect to administration port and send:

GET /admin/index.html HTTP/1.0
Connection: Keep-Alive
....
Authorization: Basic

As basic authorization is base64 encoded, this made coding an exploit extremely annoying - but, of course, could be done.

Example code has been written for the latest (at present) freely available NT version of RealServer G2 and is available at http://www.beavuh.org. \[ The code is also at this site in .exe and .asm format \]

The exploit will spawn a command prompt on port 6968 and has been tested extensively.

This was tested with a default installation - if RealServer is installed in a different directory than the default, the buffer will need to be adjusted accordingly.

The administrator port is randomly selected at installation, but since you"ll only be testing on your own networks this shouldn"t matter :)

We have only checked the NT version of this software for the vulnerability, and it is unknown whether versions on other platforms are affected.

Vendors really need to take buffer overflows on the NT platform more seriously, the fact that you can hide behind a closed source environment doesn"t make you anymore safe. Take a look at our articles on our website to demonstrate this fact.

DEFENSE

Brendan Brannen writes, "While this may not be the best fix for everyone, on our server, I simply went in to theĀ .cfg file and (after backing it up of course) deleted the entry that specified the admin port. I then stopped and restarted the rmserver service. While this does of course effectively turn off the administrative capabilities of the software, you can of course switch between your backed up version and the new one of the CFG file to re-enable this service. "

VENDOR RESPONSE

None as of November 4, 1999.

CREDITS
Reported by Dark Spyrit

Posted here at NTSecurity.NET on November 4, 1999
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish