what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

real.helix.9.0.txt

real.helix.9.0.txt
Posted Dec 21, 2002
Authored by Mark Litchfield | Site ngssoftware.com

RealNetworks Helix Universal Server v9.0 and below for Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 & 2.8 contains buffer overflows which can cause code to be executed as SYSTEM over tcp port 554.

tags | advisory, overflow, tcp
systems | linux, windows, solaris, freebsd, aix, hpux
SHA-256 | b39acaf9964d4389121ef064fdeeef266502772719c45556094be1fe82988b89

real.helix.9.0.txt

Change Mirror Download
NGSSoftware Insight Security Research Advisory

Name: Muliple Buffer overruns RealNetworks Helix Universal Server 9.0
Systems Affected: Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 &
2.8
Severity: High Risk
Category: Buffer Overrun
Vendor URL: https://www.real.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 20th December 2002
Advisory number: #NISR20122002


Description
***********
According to REAL, the Helix Universal Server is the only universal platform
with support for live and on-demand delivery of all major media file
formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG
2, and more. The Helix server is vulnerable to multiple buffer overrun
vulnerabilities. Previous versions were not tested but it is assumed that
they too may be vulnerable.

Details
*******
The Helix server uses the RTSP protocol, which is based upon HTTP.

Vulnerability One: By supplying an overly long character string within the
Transport field of a SETUP RSTP request to a Helix server, which by default
listens on TCP port 554, an overflow will occur overwriting the saved return
address on the stack. On a windows box, the Helix server is installed by
default as a system service and so exploitation of this vulnerability would
result in a complete server compromise, with supplied code executing in the
security context of SYSTEM. The impact of these vulnerabilities on UNIX
based platforms was not tested, though they are vulnerable.

SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0
CSeq: 302
Transport: AAAAAAAAA-->

Vulnerability Two: By supplying a very long URL in the Describe field,
again over port 554, an attacker can overwrite the saved return address
allowing the execution of code

DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0
CSeq: 2
Accept: application/sdp
Session: 4668-1
Bandwidth: 393216
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie: cbid=www.ngsconsulting.com
GUID: 00000000-0000-0000-0000-000000000000
Language: en-us
PlayerCookie: cbid
RegionData: myregion
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1

Vulnerability Three: By making two HTTP requests (port 80) containing long
URI's simultaneously, (in making the first connection, it will appear to
hang, by keeping this session open and making another connection and
supplying the same request again ), will cause the saved return address to
also be overwritten, allowing an attacker to run arbitrary code of their
choosing.

GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
User-Agent: RealPlayer G2
Expires: Mon, 18 May 1974 00:00:00 GMT
Pragma: no-cache
Accept: application/x-rtsp-tunnelled, */*
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie:
cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd
i
X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt

Fix Information
***************
NGSSoftware alerted REALNetworks to theses issues on 8/11/2002, 30/11/2002,
12/11/2002 respectively.
A patch has now been made available from
https://www.service.real.com/help/faq/security/bufferoverrun12192002.html

A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, https://www.ngssoftware.com.

Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see

https://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
https://www.ngssoftware.com/papers/ntbufferoverflow.html
https://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
https://www.ngssoftware.com/papers/unicodebo.pdf


About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

https://www.ngssoftware.com/
https://www.ngsconsulting.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close