[34168] in bugtraq
ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer
daemon@ATHENA.MIT.EDU (Pentest Security Alerts)
Thu Mar 18 11:59:36 2004
Message-ID: <4059B59D.60806@pentest.co.uk>
Date: Thu, 18 Mar 2004 14:43:41 +0000
From: Pentest Security Alerts <alerts@pentest.co.uk>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig59E137D546DE9D9F8BFA9915"
--------------enig59E137D546DE9D9F8BFA9915
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Pentest Limited Security Advisory
RealNetworks Helix Server 9 Administration Server Buffer Overflow
Advisory Details
----------------
Title: RealNetworks Helix Server 9 Administration Server Buffer Overflow
Announcement date: 18 March 2004
Advisory Reference: ptl-2004-02
CVE Name: CAN-2004-0049
Products: Various RealNetworks Server Products (See Below)
Vulnerability Type : Buffer Overflow
Vendor-URL: http://www.realnetworks.com
Vendor-Status: Updated Version / Plugin Released
Remotely Exploitable: Yes (Authenticated User)
Locally Exploitable: Yes (Authenticated User)
Advisory URL: http://www.pentest.co.uk/
Vulnerability Description
--------------------------
Several of Real Networks Helix Server products utilise a common
Administration Interface which is available over HTTP and protected
by HTTP Basic Authentication.
An authenticated attacker can submit malformed HTTP POST
requests to the server's Administration interface, triggering a buffer
overflow and executing arbitrary code on the server.
On Windows platforms where the Helix Server is run as an NT Service,
this allows arbitrary code execution under the context of the NT SYSTEM
account.
It should be noted that the Server does not have a default username
and password - these are set during installation. In addition to this,
the Server runs on a random TCP port, configured during installation.
Vulnerable Versions
--------------------
Helix Universal Mobile Server & Gateway 10, version 10.1.1.120 and prior
Helix Universal Server and Gateway 9, version 9.0.2.881 and prior
RealSystem Server and Proxy version 8.x and earlier are not vulnerable
Whilst Windows 2000 was the only platform tested and confirmed to be
exploitable by Pentest Limited, the vendor advisory indicates that
multiple platforms are affected by this vulnerability including
Solaris, Linux, AIX, and FreeBSD.
Vendor Status
--------------
Real Networks:
05-01-2004 - Initial Pentest Limited Notification
06-01-2004 - Notification acknowledged by Real Networks
08-01-2004 - Draft Advisory sent to Pentest Limited By Real Networks
12-01-2004 - Initial Advisory published by Real Networks stating the
impact as 'Denial of Service'
26-02-2004 - Real Advisory updated to describe impact as 'potential root
exploit'
18-03-2004 - Pentest Limited Advisory released.
Fix
---
Updated versions of Helix Universal Server and Gateway 9 are available
from RealNetworks.
Updated Administration System plug-ins are available.
Further details are available in the RealNetworks advisory, available
at:
http://service.real.com/help/faq/security/security022604.html
--------------enig59E137D546DE9D9F8BFA9915
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAWbWz4bMUolR4sycRAlp8AJ9ieNztwAQ1OvChpujSRSTSCOf+QACfUtUj
slAso3b3lxp8up92NdWSVQ8=
=i1kL
-----END PGP SIGNATURE-----
--------------enig59E137D546DE9D9F8BFA9915--
