realserver.passwd.txt

`Date: Wed, 14 Apr 1999 10:45:50 +0200  
From: Francisco M. Marzoa Alonso <[email protected]>  
To: [email protected]  
Subject: Real Media Server stores passwords in plain text  
  
My real media server information:  
  
fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version  
Creating Server Space...  
Starting RealServer 6.0 Core...  
RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.  
Version: 6.0.3.353  
Platform: linux2  
  
The fact is that through installation process it ask for a password that  
itsn't hide neither when you write it, but worse is that this password is  
stored in the file /usr/local/rmserver/rmserver.cfg in plain format and  
this file have as default a 644 permision mask.  
  
Excuse if this security issue was adviced before and, by the way, my poor  
english too.  
  
--  
Francisco M. Marzoa Alonso - SiRE  
3CLiNUX - http://club.idecnet.com/~fmmarzoa/  
  
-----------------------------------------------------------------------------  
  
Date: Fri, 16 Apr 1999 10:51:18 +0100  
From: Adam Laurie <[email protected]>  
To: [email protected]  
Subject: Re: Real Media Server stores passwords in plain text  
  
> My real media server information:  
>  
> fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version  
> Creating Server Space...  
> Starting RealServer 6.0 Core...  
> RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.  
> Version: 6.0.3.353  
> Platform: linux2  
>  
> The fact is that through installation process it ask for a password that  
> itsn't hide neither when you write it, but worse is that this password is  
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and  
> this file have as default a 644 permision mask.  
>  
> Excuse if this security issue was adviced before and, by the way, my poor  
> english too.  
  
It gets worse... the G2 web admin facility uses forms to change/set  
passwords etc. (Some of) these changes are logged, in plaintext, in the  
world readable access logs for your lusers' reading pleasure...  
  
Here's a snippit:  
  
10.1.1.1 - - [14/Mar/1999:11:23:32 +0000] "GET  
admin/auth.adduser.html?respage%3Dadduser_respage.ht  
ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0"  
200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114  
  
I reported this to Real, but have had the expected resonse...  
  
cheers,  
Adam  
--  
Adam Laurie Tel: +44 (181) 742 0755  
A.L. Digital Ltd. Fax: +44 (181) 742 5995  
Voysey House  
Barley Mow Passage http://www.aldigital.co.uk  
London W4 4GB mailto:[email protected]  
UNITED KINGDOM PGP key on keyservers  
  
-----------------------------------------------------------------------------  
  
Date: Thu, 15 Apr 1999 09:45:49 +0200  
From: Peter Roth <[email protected]>  
To: [email protected]  
Subject: Re: Real Media Server stores passwords in plain text  
  
this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT,  
File Persmission is set to full access by everyone  
  
Greetings  
  
Peter  
  
-----------------------------------------------------------------------------  
  
Date: Mon, 19 Apr 1999 20:37:49 -0400  
From: Doug Monroe <[email protected]>  
To: [email protected]  
Subject: Re: Real Media Server stores passwords in plain text  
  
> M. Marzoa Alonso wrote:  
>> The fact is that through installation process it ask for a  
>> password that itsn't hide neither when you write it, but worse is that this  
>> password is stored in the file /usr/local/rmserver/rmserver.cfg in plain  
>> format  
  
> Peter Roth <[email protected]> wrote:  
>this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT,  
>File Persmission is set to full access by everyone  
  
tangetially related to Real Server/cleartext passwords....but mostly  
related to bad practices on the part of application developers. FWIW-  
  
Station Manager from Lariat Software (www.lariat.com) manages/schedules  
content offered on Real Servers and has similar issues. Quoting from their  
docs:  
  
In order to access Station Manager, it must be installed on a Web  
server. You can install Station Manager directly into the Web  
server's root directory or in another directory on the same computer  
as long as the directory is a virtual directory of the Web server.  
Installing the product under docroot means all of the  
installed files are viewable and/or retrievable. This includes  
license info, manuals, admin info, *config* files...for example:  
http://my.example.com/stationmanager/lariat/server/config/stnmng.cfg  
might reward you with:  
---  
RVSLTA Z:\Real\Server\Bin\rvslta.exe  
SERVERHOSTNAME somehost.example.com  
SERVERPASSWORD xyz123 <-- ed note: Real Server pw here  
SERVERPORT 7777  
CONVERSION somehost.example.com 7777 X:\rmfiles  
STATIONMANAGERPASSWORD foobar  
---  
Of course you can use access control mechanisms to protect yourself but  
nowhere do they warn of these pitfalls and if someone installs the product  
under the docroot of a typical server:  
a) without access control  
b) with directory listings enabled  
then the above config files and their passwords (among other things) are  
exposed. Even if directory listing is dis-abled, one can still retrieve config  
files (for example) if one simply knows the correct path/filename.  
Lariat has been told and may be in the process of modifying documentation.  
  
-----------------------------------------------------------------------------  
  
Date: Thu, 22 Apr 1999 21:55:08 -0400  
From: Lawrence S. Lee <[email protected]>  
Reply-To: [email protected]  
To: [email protected]  
Subject: Re: Real Media Server stores passwords in plain text  
  
Well, it doesn't get any better. For example...  
  
1. Under the G2 server (IRIX 6 in my case) it turns out that the  
administrator password is saved in plaintext in the user database (under the  
rmserver install directory)... but the _encoder_ passwords are stored in  
encrypted form!  
  
2. While installing the G2 server I found that the install program wouldn't  
work properly unless run as root... even though it didn't seem to modify any  
files outside of the directory tree you're working under.  
  
3. I believe the PNM port is 554, which I believe _requires_ (for no good  
reason) you to run the G2 server as root (unless you change the port, which I  
did to 5540).  
  
4. ALL the files installed for G2 are set as readable by ALL users! massive  
chmod'ing.  
  
5. Seeing as how it was possible to use encrypted passwords for the encoder  
user, I tried finagling the config file so that it would store the  
administrator password using the "encrypted store." I tore my hair out until  
I finally succumbed and called tech support, which firstly didn't really see  
what the big problem was, and second replied, "well, it looks like what  
you're doing should make sense... so I don't know why it's not working. We'll  
take a look at it and let you know what we find."  
  
No replies back from them since (which was to be expected). As someone else  
mentioned... just sloppy programming practice.  
  
larry  
  
"Francisco M. Marzoa Alonso" wrote:  
  
> The fact is that through installation process it ask for a password that  
> itsn't hide neither when you write it, but worse is that this password is  
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and  
> this file have as default a 644 permision mask.  
  
-----------------------------------------------------------------------------  
  
Date: Fri, 14 May 1999 07:03:08 +0000  
From: "@cm3_1aM3r" <[email protected]>  
To: [email protected]  
Subject: Re: Real Media Server stores passwords in plain text  
  
On Wed, 14 Apr 1999, Francisco M. Marzoa Alonso wrote:  
  
> My real media server information:  
>  
> fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version  
> Creating Server Space...  
> Starting RealServer 6.0 Core...  
> RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.  
> Version: 6.0.3.353  
> Platform: linux2  
>  
> The fact is that through installation process it ask for a password that  
> itsn't hide neither when you write it, but worse is that this password is  
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and  
> this file have as default a 644 permision mask.  
>  
  
I downloaded the RealServer too, and noticed Real's kind of "open"  
filosophy. I ran a search through the bugtraq archives and the post I'm  
replying on came up in the search. It seems that exactly one month after  
Real was warned by Francisco M. Marzoa Alonso completely nothing has  
happened. Like Francisco said; the rmserver.cfg is world-readable and the  
subdirectory dbm_b_db and (worse of all, like Adam Laurie already stated),  
the dbm_b_db/users directory with user & passwd info is world-readable for  
anyone with shell access to the machine running rmserver. There also is a  
directory named "Secure", where -and I quote- you can "place secure  
contents in" so "RealServer will authenticate the user" :(  
  
  
So shell access to an rmserver = rmserver admin rights. (^.^)'  
  
I re-reported this to Real. No response yet. Maybe if we all make a lot of  
fuzz about it they'll get tired of mail and change their cracker-friendly  
ways...  
  
-- the @cm3_1aM3r  
(please don't think I'm some sort of script kiddo or something like that.  
I like to pun at that scene by choosing such an utterly stupid name ;)  
  
"People who generalize things are stupid!"  
  
`