Report for RealServer Memory Contents Disclosure Vulnerability

Advisory ID Internal
CORE-21116

Advisory Information:

Advisory ID: CORE-20001116
Bugtraq ID: 1957
CVE Name: CVE-2000-1181
Title: RealServer memory contents disclosure vulnerability
Class: Failure to handle exceptional conditions
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Mode: COORDINATED RELEASE

Vulnerability Description:

A memory contents disclosure vulnerability was found on RealNetworks RealServer which will give out information about the server configuration, runtime memory data and tokens and authentication credentials.

This information allows an external attacker to possibly obtain administrative access to the server or to data belonging to other user sessions.

Vulnerable Packages/Systems:

Real Networks Real Server version 7 and below, all supported platforms

Solution/Vendor Information/Workaround:

A description of the problem and an updated version of Real Server with a fix for the problem is available at:
http://service.real.com/help/faq/security/memory.html

Vendor notified on: October 17th, 2000

Credits:

This vulnerability was found by Gerardo Richarte and Claudio Castiglia from Core SDI S.A.

CORE SDI would like to thank RealNetworks Inc. for their prompt response to the problem.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail [email protected].

Technical Description - Exploit/Concept Code:

Issuing a request to a RealServer with the following URI:

http://targetserver/admin/includes/ (note the ending '/' slash)

A response will be elicited containing random pieces of the server's runtime memory.

This generally consists of data from previous sessions and contains information that could be used to obtain unauthorized access to the RealServer administration facilities (cookies sent to other clients, BASE64 encoded usernames and passwords, the random port number where the administration server listens, etc.)

Disclaimer:

The contents of this advisory are copyright (c) 2000 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.