87208 2002-12-21  02:54  /115 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com>
Importerad: 2002-12-21  02:54  av Brevbäraren
Extern mottagare: ntbugtraq@listserv.ntbugtraq.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <2844>
Ärende: RealNetworks HELIX Server Buffer Overflow Vulnerabilities (#NISR20122002)
------------------------------------------------------------
NGSSoftware Insight Security Research Advisory

Name:    Muliple Buffer overruns RealNetworks Helix Universal Server 9.0
Systems Affected:  Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 &
2.8
Severity:  High Risk
Category: Buffer Overrun
Vendor URL:   http://www.real.com/
Author:   Mark Litchfield (mark@ngssoftware.com)
Date:   20th December 2002
Advisory number: #NISR20122002


Description *********** According to REAL, the Helix Universal Server
is the only universal platform with support for live and on-demand
delivery of all major media file formats, including Real Media,
Windows Media, QuickTime, MPEG 4, MP3, MPEG 2, and more. The Helix
server is vulnerable to multiple buffer overrun
vulnerabilities. Previous versions were not tested but it is assumed
that they too may be vulnerable.

Details
*******
The Helix server uses the RTSP protocol, which is based upon HTTP.

Vulnerability One:  By supplying an overly long character string
within the Transport field of a SETUP RSTP request to a Helix server,
which by default listens on TCP port 554, an overflow will occur
overwriting the saved return address on the stack.  On a windows box,
the Helix server is installed by default as a system service and so
exploitation of this vulnerability would result in a complete server
compromise, with supplied code executing in the security context of
SYSTEM. The impact of these vulnerabilities on UNIX based platforms
was not tested, though they are vulnerable.

SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0
CSeq: 302
Transport: AAAAAAAAA-->

Vulnerability Two:  By supplying a very long URL in the Describe
field, again over port 554, an attacker can overwrite the saved
return address allowing the execution of code

DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0
CSeq: 2
Accept: application/sdp
Session: 4668-1
Bandwidth: 393216
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie: cbid=www.ngsconsulting.com
GUID: 00000000-0000-0000-0000-000000000000
Language: en-us
PlayerCookie: cbid
RegionData: myregion
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1

Vulnerability Three:  By making two HTTP requests (port 80)
containing long URI's simultaneously, (in making the first
connection, it will appear to hang, by keeping this session open and
making another connection and supplying the same request again ),
will cause the saved return address to also be overwritten, allowing
an attacker to run arbitrary code of their choosing.

GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
User-Agent: RealPlayer G2
Expires: Mon, 18 May 1974 00:00:00 GMT
Pragma: no-cache
Accept: application/x-rtsp-tunnelled, */*
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie:
cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd
i
X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt

Fix Information *************** NGSSoftware alerted REALNetworks to
theses issues on 8/11/2002, 30/11/2002, 12/11/2002 respectively.  A
patch has now been made available from
http://www.service.real.com/help/faq/security/bufferoverrun12192002.html

A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information ******************* For further information about
the scope and effects of buffer overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf


About NGSSoftware ***************** NGSSoftware design, research and
develop intelligent, advanced application security assessment
scanners. Based in the United Kingdom, NGSSoftware have offices in
the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.

http://www.ngssoftware.com/
http://www.ngsconsulting.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com
(87208) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten)