|
|
|
|
| |
Credit:
The information has been provided by defrost.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=899
|
| |
Vulnerable Systems:
* RealNetworks Helix Server Server version 12.x
* RealNetworks Helix Mobile Server version 12.x
* RealNetworks Helix Server Server version 13.x
* RealNetworks Helix Mobile Server version 13.x
* RealNetworks Helix Server Server version 14.x
* RealNetworks Helix Mobile Server version 14.x
The vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected service.
The Helix DNA Server contains a vulnerability that can be triggered by an unauthenticated attacker. The vulnerability results due to the parsing of a certain type of Real Time Streaming Protocol (RTSP) request specifying a large string. The vulnerable function may perform a copy operation that results in the bounds of a stack buffer to be overflown.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service. In order to exploit this vulnerability, an attacker needs to be able to create a TCP connection to port 554 on the targeted server. No authentication is required.
Patch Availability:
RealNetworks has released a patch which addresses this issue.
Information about downloadable vendor updates can be found by clicking on the URLs shown:
http://docs.real.com/docs/security/SecurityUpdate033111HS.pdf
CVE Information:
CVE-2010-4596
Disclosure Timeline:
11/17/2010 Initial Contact
12/03/2010 Initial Response
03/31/2010 Coordinated public disclosure.
|
|
|
|
|
