Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5896.htm

RealNetworks HELIX Server Buffer Overflow Vulnerabilities



23th Dec 2002 [SBWID-5896]
COMMAND

	RealNetworks HELIX Server Buffer Overflow Vulnerabilities

SYSTEMS AFFECTED

	?

PROBLEM

	According to REAL, the Helix Universal  Server  is  the  only  universal
	platform with support for live  and  on-demand  delivery  of  all  major
	media file formats, including  Real  Media,  Windows  Media,  QuickTime,
	MPEG 4, MP3, MPEG 2,  and  more.  The  Helix  server  is  vulnerable  to
	multiple buffer overrun  vulnerabilities.  Previous  versions  were  not
	tested but it is assumed that they too may be vulnerable.
	
	 Details
	 *******
	
	The Helix server uses the RTSP protocol, which is based upon HTTP.
	
	
	Vulnerability One: By supplying an overly long character  string  within
	the Transport field of a SETUP RSTP request to a Helix server, which  by
	default listens on TCP port 554, an overflow will occur overwriting  the
	saved return address on the stack. On a windows box,  the  Helix  server
	is installed by default as a system service and so exploitation of  this
	vulnerability  would  result  in  a  complete  server  compromise,  with
	supplied code executing in the security context of  SYSTEM.  The  impact
	of these vulnerabilities on UNIX based platforms was not tested,  though
	they are vulnerable.
	
	SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0
	CSeq: 302
	Transport: AAAAAAAAA-->
	
	
	Vulnerability Two: By supplying a very long URL in the  Describe  field,
	again over port 554, an attacker can overwrite the saved return  address
	allowing the execution of code
	
	DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0
	CSeq: 2
	Accept: application/sdp
	Session: 4668-1
	Bandwidth: 393216
	ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
	Cookie: cbid=www.ngsconsulting.com
	GUID: 00000000-0000-0000-0000-000000000000
	Language: en-us
	PlayerCookie: cbid
	RegionData: myregion
	Require: com.real.retain-entity-for-setup
	SupportsMaximumASMBandwidth: 1
	
	
	Vulnerability Three: By making two HTTP requests  (port  80)  containing
	long URI's simultaneously, (in making  the  first  connection,  it  will
	appear to  hang,  by  keeping  this  session  open  and  making  another
	connection and supplying the same request again ), will cause the  saved
	return address to also be  overwritten,  allowing  an  attacker  to  run
	arbitrary code of their choosing.
	
	GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
	User-Agent: RealPlayer G2
	Expires: Mon, 18 May 1974 00:00:00 GMT
	Pragma: no-cache
	Accept: application/x-rtsp-tunnelled, */*
	ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
	Cookie:
	cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd
	i
	X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt
	

SOLUTION

	NGSSoftware  alerted  REALNetworks  to  theses  issues   on   8/11/2002,
	30/11/2002,  12/11/2002  respectively.  A  patch  has  now   been   made
	available from
	
	 http://www.service.real.com/help/faq/security/bufferoverrun12192002.html
	
	A check for these issues has been added to Typhon  III,  of  which  more
	information    is    available    from    the    NGSSoftware    website,
	http://www.ngssoftware.com.
	
	Further Information
	*******************
	For further information about the scope and effects of buffer overflows,
	please see
	
	http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
	http://www.ngssoftware.com/papers/ntbufferoverflow.html
	http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
	http://www.ngssoftware.com/papers/unicodebo.pdf
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH