ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow

From: Pentest Security Alerts (alerts_at_pentest.co.uk)
Date: 03/18/04

  • Next message: Janek Vind: "[waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager v2.1 for PhpNuke]"
    Date: Thu, 18 Mar 2004 14:43:41 +0000
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
    
    
    

    Pentest Limited Security Advisory

    RealNetworks Helix Server 9 Administration Server Buffer Overflow

    Advisory Details
    ----------------
    Title: RealNetworks Helix Server 9 Administration Server Buffer Overflow
    Announcement date: 18 March 2004
    Advisory Reference: ptl-2004-02
    CVE Name: CAN-2004-0049
    Products: Various RealNetworks Server Products (See Below)
    Vulnerability Type : Buffer Overflow
    Vendor-URL: http://www.realnetworks.com
    Vendor-Status: Updated Version / Plugin Released
    Remotely Exploitable: Yes (Authenticated User)
    Locally Exploitable: Yes (Authenticated User)
    Advisory URL: http://www.pentest.co.uk/

    Vulnerability Description
    --------------------------
    Several of Real Networks Helix Server products utilise a common
    Administration Interface which is available over HTTP and protected
    by HTTP Basic Authentication.

    An authenticated attacker can submit malformed HTTP POST
    requests to the server's Administration interface, triggering a buffer
    overflow and executing arbitrary code on the server.

    On Windows platforms where the Helix Server is run as an NT Service,
    this allows arbitrary code execution under the context of the NT SYSTEM
    account.

    It should be noted that the Server does not have a default username
    and password - these are set during installation. In addition to this,
    the Server runs on a random TCP port, configured during installation.

    Vulnerable Versions
    --------------------
    Helix Universal Mobile Server & Gateway 10, version 10.1.1.120 and prior
    Helix Universal Server and Gateway 9, version 9.0.2.881 and prior

    RealSystem Server and Proxy version 8.x and earlier are not vulnerable

    Whilst Windows 2000 was the only platform tested and confirmed to be
    exploitable by Pentest Limited, the vendor advisory indicates that
    multiple platforms are affected by this vulnerability including
    Solaris, Linux, AIX, and FreeBSD.

    Vendor Status
    --------------
    Real Networks:
    05-01-2004 - Initial Pentest Limited Notification
    06-01-2004 - Notification acknowledged by Real Networks
    08-01-2004 - Draft Advisory sent to Pentest Limited By Real Networks
    12-01-2004 - Initial Advisory published by Real Networks stating the
    impact as 'Denial of Service'
    26-02-2004 - Real Advisory updated to describe impact as 'potential root
    exploit'
    18-03-2004 - Pentest Limited Advisory released.

    Fix

    ---
    Updated versions of Helix Universal Server and Gateway 9 are available
    from RealNetworks.
    Updated Administration System plug-ins are available.
    Further details are available in the RealNetworks advisory, available
    at:
    http://service.real.com/help/faq/security/security022604.html
    
    



  • Next message: Janek Vind: "[waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager v2.1 for PhpNuke]"

    Relevant Pages