[NEWS] RealNetworks Helix Universal Server DoS (GET_PARAMETER, DESCRIBE)

• Previous message: SecuriTeam: "[UNIX] Neon Format String Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 Apr 2004 14:20:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  RealNetworks Helix Universal Server DoS (GET_PARAMETER, DESCRIBE)
------------------------------------------------------------------------

SUMMARY

 <http://www.realnetworks.com> RealNetworks Helix Universal Server is a
universal digital media delivery platform with industry leading
performance, integrated content distribution and Web services support.
Remote exploitation of a denial of service (DoS) vulnerability in
RealNetworks, Inc.'s Helix Universal Server could allow an attacker to
restart and potentially disable the server.

DETAILS

Vulnerable Systems:
 * RealNetworks Helix Universal Server versions 9.0.2 for Linux and
version 9.0.1 for Windows

Immune Systems:
 * RealNetworks Helix Universal Server versions 9.0.3

The problem specifically exists in the handling of specially crafted GET
requests. The following sample requests will cause a null pointer
reference, thereby causing the application to crash.
$ echo -e "GET_PARAMETER / RTSP/1.0\n\n" | nc -v localhost 554
$ echo -e "DESCRIBE / RTSP/1.0\nSession:\n\n" | nc -v localhost 554

If the server was started with specific options such as
'--no-crash-avoidance' or '--no-auto-restart', which is not the case in
the default installation, then the server will become inaccessible upon
receipt of the malicious requests.

Analysis:
Any unauthenticated remote attacker can exploit this vulnerability to
crash an affected server, thereby preventing legitimate usage.

Exploit code for this issue does not exist but is not necessary as the
issue is trivially exploited.

Workaround:
Ensure that the server options '--no-crash-avoidance' and
'--no-auto-restart' are not enabled.

Vendor response:
"Both issues have been secured in the 9.03 release of the server."

CVE Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0389 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.

Disclosure timeline:
December 8, 2003 Exploit acquired by iDEFENSE
January 24, 2004 iDEFENSE clients notified
January 26, 2004 Initial vendor notification
April 15, 2004 Public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.

The original article can be found at:
<http://www.idefense.com/application/poi/display?id=102&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=102&type=vulnerabilities.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Neon Format String Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]