Report for RealServer memory contents disclosure vulnerability

Report for RealServer memory contents disclosure vulnerability

Date Published: November 16th, 2000

Advisory ID: CORE-20001116

Bugtraq ID: 1957

CVE Name: CVE-2000-1181

Title: RealServer memory contents disclosure vulnerability

Class: Failure to handle exceptional conditions

Remotely Exploitable: Yes

Locally Exploitable: Yes

Release Mode: COORDINATED RELEASE


Vulnerability Description:
A memory contents disclosure vulnerability was found on RealNetworks RealServer which will give out information about the server configuration, runtime memory data and tokens and authentication credentials.

This information allows an external attacker to possibly obtain administrative access to the server or to data belonging to other user sessions.

Vulnerable Packages/Systems:

Real Networks Real Server version 7 and below, all supported platforms

Solution/Vendor Information/Workaround:
A description of the problem and an updated version of Real Server with a fix for the problem is available at:
http://service.real.com/help/faq/security/memory.html

Vendor notified on: October 17th, 2000

Credits:
This vulnerability was found by Gerardo Richarte and Claudio Castiglia from Core SDI S.A.

CORE SDI would like to thank RealNetworks Inc. for their prompt response to the problem.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com.

Technical Description - Exploit/Concept Code:
Issuing a request to a RealServer with the following URI:

http://targetserver/admin/includes/ (note the ending '/' slash)

A response will be elicited containing random pieces of the server's runtime memory.

This generally consists of data from previous sessions and contains information that could be used to obtain unauthorized access to the RealServer administration facilities (cookies sent to other clients, BASE64 encoded usernames and passwords, the random port number where the administration server listens, etc.)

DISCLAIMER:
The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Request Info

Research Blog