Multiple Buffer overruns RealNetworks Helix Universal Server
25 Dec. 2002
According to REAL, the Helix Universal Server is the only universal platform with support for live and on-demand delivery of all major media file formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG 2, and more. The Helix server is vulnerable to multiple buffer overrun vulnerabilities. Previous versions were not tested but it is assumed that they too may be vulnerable.
* RealNetworks Helix Universal Server 9.0 under Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 & 2.8
The Helix server uses the RTSP protocol, which is based upon HTTP.
By supplying an overly long character string within the transport field of a SETUP RSTP request to a Helix server, which by default listens on TCP port 554, an overflow will occur overwriting the saved return address on the stack. On a windows box, the Helix server is installed by default as a system service and so exploitation of this vulnerability would result in a complete server compromise, with supplied code executing in the security context of SYSTEM. The impact of these vulnerabilities on UNIX based platforms was not tested, though they are vulnerable.
By making two HTTP requests (port 80) containing long URI's simultaneously, (in making the first connection, it will appear to hang, by keeping this session open and making another connection and supplying the same request again ), will cause the saved return address to also be overwritten, allowing an attacker to run arbitrary code of their choosing.