Pentest Security Advisory : PTL-2004-02
RealNetworks Helix Server 9 Administration Server Buffer Overflow
Advisory Details
| Title: | RealNetworks Helix Server 9 Administration Server Buffer Overflow |
| Announcement date: | 18 March 2004 |
| Advisory Reference: | ptl-2004-02 |
| CVE Name: | CAN-2004-0049 |
| Products: | Various RealNetworks Server Products (See Below) |
| Vulnerability Type: | Buffer Overflow |
| Vendor-URL: | http://www.realnetworks.com |
| Vendor-Status: | Updated Version / Plugin Released |
| Remotely Exploitable: | Yes (Authenticated User) |
| Locally Exploitable: | Yes (Authenticated User) |
| Advisory URL: | http://www.pentest.co.uk/ |
Vulnerability Description
Several of Real Networks Helix Server products utilise a common Administration Interface which is available over HTTP and protected by HTTP Basic Authentication.
An authenticated attacker can submit malformed HTTP POST requests to the server's Administration interface, triggering a buffer overflow and executing arbitrary code on the server.
On Windows platforms where the Helix Server is run as an NT Service, this allows arbitrary code execution under the context of the NT SYSTEM account.
It should be noted that the Server does not have a default username and password - these are set during installation. In addition to this, the Server runs on a random TCP port, configured during installation.
Vulnerable Versions
Helix Universal Mobile Server & Gateway 10, version 10.1.1.120 and prior
Helix Universal Server and Gateway 9, version 9.0.2.881 and prior
RealSystem Server and Proxy version 8.x and earlier are not vulnerable
Whilst Windows 2000 was the only platform tested and confirmed to be exploitable by Pentest Limited, the vendor advisory indicates that multiple platforms are affected by this vulnerability including Solaris, Linux, AIX, and FreeBSD.
Vendor Status
Real Networks:
| 05-01-2004 - | Initial Pentest Limited Notification |
| 06-01-2004 - | Notification acknowledged by Real Networks |
| 08-01-2004 - | Draft Advisory sent to Pentest Limited By Real Networks |
| 12-01-2004 - | Initial Advisory published by Real Networks stating the impact as 'Denial of Service' |
| 26-02-2004 - | Real Advisory updated to describe impact as 'potential root exploit' |
| 18-03-2004 - | Pentest Limited Advisory released |
Fix
Updated versions of Helix Universal Server and Gateway 9 are available from RealNetworks.
Updated Administration System plug-ins are available.
Further details are available in the RealNetworks advisory, available at:
http://service.real.com/help/faq/security/security022604.html
Credit
This vulnerability was discovered by Matt Moore from Pentest Limited.
PTL-2004-03
Penetration Testing as a service has grown into a business in its own right, providing numerous corporations with a valuable weapon in their growing arsenal of security counter measures. Pentest Limited was set up in June 2001 to provide specialist security services to businesses across the UK, North America and Europe.
Pentest Limited offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these databases.
