As everyone seems to have the giving spirit at present, here's a little something from the beavuh crew. A buffer overflow exists in the web authentication on the RealServer administrator port. By sending a long user/password pair you can overflow the buffer and execute arbitrary code. e.g. - GET /admin/index.html HTTP/1.0 Connection: Keep-Alive .... Authorization: Basic <long base64 encoded user/password> As basic authorization is base64 encoded, this made coding an exploit extremely annoying - but, of course, could be done. Example code has been written for the latest (at present) freely available NT version of RealServer G2 and is available at http://www.beavuh.org. The exploit will spawn a command prompt on port 6968 and has been tested extensively. This was tested with a default installation - if RealServer is installed in a different directory than the default, the buffer will need to be adjusted accordingly. The administrator port is randomly selected at installation, but as you'll only be testing on your own networks this shouldn't matter :) We have only checked the NT version of this software for the vulnerability, and it is unknown whether versions on other platforms are affected. Vendors really need to take buffer overflows on the NT platform more seriously, the fact that you can hide behind a closed source environment doesn't make you anymore safe. Take a look at our articles on our website to demonstrate this fact. dark spyrit http://www.beavuh.org - bend over and pray.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:37 PDT