NGSSoftware Insight Security Research Advisory

Name:    Muliple Buffer overruns RealNetworks Helix Universal Server 9.0
Systems Affected:  Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 &
2.8
Severity:  High Risk
Category: Buffer Overrun
Vendor URL:   http://www.real.com/
Author:   Mark Litchfield (mark@ngssoftware.com)
Date:   20th December 2002
Advisory number: #NISR20122002


Description
***********
According to REAL, the Helix Universal Server is the only universal platform
with support for live and on-demand delivery of all major media file
formats, including Real Media, Windows Media, QuickTime, MPEG 4, MP3, MPEG
2, and more. The Helix server is vulnerable to multiple buffer overrun
vulnerabilities. Previous versions were not tested but it is assumed that
they too may be vulnerable.

Details
*******
The Helix server uses the RTSP protocol, which is based upon HTTP.

Vulnerability One:  By supplying an overly long character string within the
Transport field of a SETUP RSTP request to a Helix server, which by default
listens on TCP port 554, an overflow will occur overwriting the saved return
address on the stack.  On a windows box, the Helix server is installed by
default as a system service and so exploitation of this vulnerability would
result in a complete server compromise, with supplied code executing in the
security context of SYSTEM. The impact of these vulnerabilities on UNIX
based platforms was not tested, though they are vulnerable.

SETUP rtsp://www.ngsconsulting.com:554/real9video.rm RTSP/1.0
CSeq: 302
Transport: AAAAAAAAA-->

Vulnerability Two:  By supplying a very long URL in the Describe field,
again over port 554, an attacker can overwrite the saved return address
allowing the execution of code

DESCRIBE rtsp://www.ngsconsulting.com:554/AAAAAAAA-->.smi RTSP/1.0
CSeq: 2
Accept: application/sdp
Session: 4668-1
Bandwidth: 393216
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie: cbid=www.ngsconsulting.com
GUID: 00000000-0000-0000-0000-000000000000
Language: en-us
PlayerCookie: cbid
RegionData: myregion
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1

Vulnerability Three:  By making two HTTP requests (port 80) containing long
URI's simultaneously, (in making the first connection, it will appear to
hang, by keeping this session open and making another connection and
supplying the same request again ), will cause the saved return address to
also be overwritten, allowing an attacker to run arbitrary code of their
choosing.

GET /SmpDsBhgRl3a685b91-442d-4a15-b4b7-566353f4178fAAAAAA--> HTTP/1.0
User-Agent: RealPlayer G2
Expires: Mon, 18 May 1974 00:00:00 GMT
Pragma: no-cache
Accept: application/x-rtsp-tunnelled, */*
ClientID: WinNT_5.2_6.0.11.818_RealPlayer_R1P04D_en-us_UNK
Cookie:
cbid=dfjgimiidjcfllgheokrqprqqojrptnpikcjkioigjdkfiplqniomprtkronoqmuekigihd
i
X-Actual-URL: rtsp://www.ngssoftware.com/nosuchfile.rt

Fix Information
***************
NGSSoftware alerted REALNetworks to theses issues on 8/11/2002, 30/11/2002,
12/11/2002 respectively.
A patch has now been made available from
http://www.service.real.com/help/faq/security/bufferoverrun12192002.html

A check for these issues has been added to Typhon III, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf


About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/
http://www.ngsconsulting.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com