|
Brought to you by:
Suppliers of:
|
|
|
| |
| According to REAL, the Helix Universal Server is the only universal platform with support for live and on-demand delivery of all major media file formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG 2, and more. The Helix server is vulnerable to multiple buffer overrun vulnerabilities. Previous versions were not tested but it is assumed that they too may be vulnerable. |
| |
Credit:
The information has been provided by NGSSoftware Insight Security Research.
|
| |
Vulnerable systems:
* RealNetworks Helix Universal Server 9.0 under Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 & 2.8
The Helix server uses the RTSP protocol, which is based upon HTTP.
Vulnerability One:
By supplying an overly long character string within the transport field of a SETUP RSTP request to a Helix server, which by default listens on TCP port 554, an overflow will occur overwriting the saved return address on the stack. On a windows box, the Helix server is installed by default as a system service and so exploitation of this vulnerability would result in a complete server compromise, with supplied code executing in the security context of SYSTEM. The impact of these vulnerabilities on UNIX based platforms was not tested, though they are vulnerable.
SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0
CSeq: 302
Transport: AAAAAAAAA-->
Vulnerability Two:
By supplying a very long URL in the Describe field, again over port 554, an attacker can overwrite the saved return address allowing the execution of code
DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0
CSeq: 2
Accept: application/sdp
Session: 4668-1
Bandwidth: 393216
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie: cbid=www.ngsconsulting.com
GUID: 00000000-0000-0000-0000-000000000000
Language: en-us
PlayerCookie: cbid
RegionData: myregion
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Vulnerability Three:
By making two HTTP requests (port 80) containing long URI's simultaneously, (in making the first connection, it will appear to hang, by keeping this session open and making another connection and supplying the same request again ), will cause the saved return address to also be overwritten, allowing an attacker to run arbitrary code of their choosing.
GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
User-Agent: RealPlayer G2
Expires: Mon, 18 May 1974 00:00:00 GMT
Pragma: no-cache
Accept: application/x-rtsp-tunnelled, */*
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie: cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihdi
X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt
Fix Information:
NGSSoftware alerted REALNetworks to theses issues on 8/11/2002, 30/11/2002, 12/11/2002 respectively. A patch has now been made available from http://www.service.real.com/help/faq/security/bufferoverrun12192002.html
|
|
|
|
|
