Date: Wed, 14 Apr 1999 10:45:50 +0200 From: Francisco M. Marzoa Alonso To: BUGTRAQ@netspace.org Subject: Real Media Server stores passwords in plain text My real media server information: fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version Creating Server Space... Starting RealServer 6.0 Core... RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved. Version: 6.0.3.353 Platform: linux2 The fact is that through installation process it ask for a password that itsn't hide neither when you write it, but worse is that this password is stored in the file /usr/local/rmserver/rmserver.cfg in plain format and this file have as default a 644 permision mask. Excuse if this security issue was adviced before and, by the way, my poor english too. -- Francisco M. Marzoa Alonso - SiRE 3CLiNUX - http://club.idecnet.com/~fmmarzoa/ ----------------------------------------------------------------------------- Date: Fri, 16 Apr 1999 10:51:18 +0100 From: Adam Laurie To: BUGTRAQ@netspace.org Subject: Re: Real Media Server stores passwords in plain text > My real media server information: > > fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version > Creating Server Space... > Starting RealServer 6.0 Core... > RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved. > Version: 6.0.3.353 > Platform: linux2 > > The fact is that through installation process it ask for a password that > itsn't hide neither when you write it, but worse is that this password is > stored in the file /usr/local/rmserver/rmserver.cfg in plain format and > this file have as default a 644 permision mask. > > Excuse if this security issue was adviced before and, by the way, my poor > english too. It gets worse... the G2 web admin facility uses forms to change/set passwords etc. (Some of) these changes are logged, in plaintext, in the world readable access logs for your lusers' reading pleasure... Here's a snippit: 10.1.1.1 - - [14/Mar/1999:11:23:32 +0000] "GET admin/auth.adduser.html?respage%3Dadduser_respage.ht ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0" 200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114 I reported this to Real, but have had the expected resonse... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers ----------------------------------------------------------------------------- Date: Thu, 15 Apr 1999 09:45:49 +0200 From: Peter Roth To: BUGTRAQ@netspace.org Subject: Re: Real Media Server stores passwords in plain text this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT, File Persmission is set to full access by everyone Greetings Peter ----------------------------------------------------------------------------- Date: Mon, 19 Apr 1999 20:37:49 -0400 From: Doug Monroe To: BUGTRAQ@netspace.org Subject: Re: Real Media Server stores passwords in plain text > M. Marzoa Alonso wrote: >> The fact is that through installation process it ask for a >> password that itsn't hide neither when you write it, but worse is that this >> password is stored in the file /usr/local/rmserver/rmserver.cfg in plain >> format > Peter Roth wrote: >this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT, >File Persmission is set to full access by everyone tangetially related to Real Server/cleartext passwords....but mostly related to bad practices on the part of application developers. FWIW- Station Manager from Lariat Software (www.lariat.com) manages/schedules content offered on Real Servers and has similar issues. Quoting from their docs: In order to access Station Manager, it must be installed on a Web server. You can install Station Manager directly into the Web server's root directory or in another directory on the same computer as long as the directory is a virtual directory of the Web server. Installing the product under docroot means all of the installed files are viewable and/or retrievable. This includes license info, manuals, admin info, *config* files...for example: http://my.example.com/stationmanager/lariat/server/config/stnmng.cfg might reward you with: --- RVSLTA Z:\Real\Server\Bin\rvslta.exe SERVERHOSTNAME somehost.example.com SERVERPASSWORD xyz123 <-- ed note: Real Server pw here SERVERPORT 7777 CONVERSION somehost.example.com 7777 X:\rmfiles STATIONMANAGERPASSWORD foobar --- Of course you can use access control mechanisms to protect yourself but nowhere do they warn of these pitfalls and if someone installs the product under the docroot of a typical server: a) without access control b) with directory listings enabled then the above config files and their passwords (among other things) are exposed. Even if directory listing is dis-abled, one can still retrieve config files (for example) if one simply knows the correct path/filename. Lariat has been told and may be in the process of modifying documentation. ----------------------------------------------------------------------------- Date: Thu, 22 Apr 1999 21:55:08 -0400 From: Lawrence S. Lee Reply-To: llee@taos.com To: BUGTRAQ@netspace.org Subject: Re: Real Media Server stores passwords in plain text Well, it doesn't get any better. For example... 1. Under the G2 server (IRIX 6 in my case) it turns out that the administrator password is saved in plaintext in the user database (under the rmserver install directory)... but the _encoder_ passwords are stored in encrypted form! 2. While installing the G2 server I found that the install program wouldn't work properly unless run as root... even though it didn't seem to modify any files outside of the directory tree you're working under. 3. I believe the PNM port is 554, which I believe _requires_ (for no good reason) you to run the G2 server as root (unless you change the port, which I did to 5540). 4. ALL the files installed for G2 are set as readable by ALL users! massive chmod'ing. 5. Seeing as how it was possible to use encrypted passwords for the encoder user, I tried finagling the config file so that it would store the administrator password using the "encrypted store." I tore my hair out until I finally succumbed and called tech support, which firstly didn't really see what the big problem was, and second replied, "well, it looks like what you're doing should make sense... so I don't know why it's not working. We'll take a look at it and let you know what we find." No replies back from them since (which was to be expected). As someone else mentioned... just sloppy programming practice. larry "Francisco M. Marzoa Alonso" wrote: > The fact is that through installation process it ask for a password that > itsn't hide neither when you write it, but worse is that this password is > stored in the file /usr/local/rmserver/rmserver.cfg in plain format and > this file have as default a 644 permision mask. ----------------------------------------------------------------------------- Date: Fri, 14 May 1999 07:03:08 +0000 From: "@cm3_1aM3r" To: BUGTRAQ@netspace.org Subject: Re: Real Media Server stores passwords in plain text On Wed, 14 Apr 1999, Francisco M. Marzoa Alonso wrote: > My real media server information: > > fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version > Creating Server Space... > Starting RealServer 6.0 Core... > RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved. > Version: 6.0.3.353 > Platform: linux2 > > The fact is that through installation process it ask for a password that > itsn't hide neither when you write it, but worse is that this password is > stored in the file /usr/local/rmserver/rmserver.cfg in plain format and > this file have as default a 644 permision mask. > I downloaded the RealServer too, and noticed Real's kind of "open" filosophy. I ran a search through the bugtraq archives and the post I'm replying on came up in the search. It seems that exactly one month after Real was warned by Francisco M. Marzoa Alonso completely nothing has happened. Like Francisco said; the rmserver.cfg is world-readable and the subdirectory dbm_b_db and (worse of all, like Adam Laurie already stated), the dbm_b_db/users directory with user & passwd info is world-readable for anyone with shell access to the machine running rmserver. There also is a directory named "Secure", where -and I quote- you can "place secure contents in" so "RealServer will authenticate the user" :( So shell access to an rmserver = rmserver admin rights. (^.^)' I re-reported this to Real. No response yet. Maybe if we all make a lot of fuzz about it they'll get tired of mail and change their cracker-friendly ways... -- the @cm3_1aM3r (please don't think I'm some sort of script kiddo or something like that. I like to pun at that scene by choosing such an utterly stupid name ;) "People who generalize things are stupid!"