Buffer Overruns Found in RealNetwork's Helix Server
A security consultant last week found a few high-risk buffer overruns in RealNetworks' Helix Universal Server 9.0 that could allow attackers to run code of their own choosing on a user's machine. High-risk buffer overruns were found in RealNetworks' Helix Universal Server 9.0 that could allow attackers to run code of their own choosing on a user's machine. Vulnerable systems include those running Sun Solaris 2.7 and 2.8.
Mark Litchfield, of U.K.-based NGSSoftware, published his report Friday -- one day after RealNetworks confirmed the vulnerabilities and issued new server installation binaries that contain remedies to the potential buffer overrun vulnerabilities.
Vulnerable systems include Windows, FreeBSD, HP-UX, AIX, Linux, and Sun Solaris 2.7 and 2.8.
"As far as any users of Helix goes, I personally would regard this as critical, as anyone exploiting these vulnerabilities can completely compromise the server and do exactly as they choose," Litchfield told internetnews.com.
Common in applications written in C/C++, buffer overruns are attacks in which a malicious user exploits an unchecked buffer in a program and overwrites the program code with their own data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to crash.
In the most serious Helix Universal Server 9.0 flaw, an overflow will occur overwriting the saved return address on the stack if an overly long character string within the Transport field of a SETUP RSTP request to a Helix server is supplied. On a Windows box, the Helix server is installed by default as a system service. Therefore, exploitation of this vulnerability would result in a complete server compromise, with supplied code executing in the security context of SYSTEM. The impact of these vulnerabilities on Unix-based platforms was not tested, Litchfield said, although they too are vulnerable.
In another flaw, an attacker can run code of his or her choosing by making two HTTP requests (port 80) containing long URI's simultaneously, (in making the first connection, it will appear to hang, by keeping this session open and making another connection and supplying the same request again ), will cause the saved return address to also be overwritten. In yet another flaw, a perpetrator can overwrite the saved return address allowing the execution of code by supplying a very long URL in the Describe field.
According to RealNetworks, the only RealNetworks Server product impacted by these security vulnerabilities is the Helix Universal Server version 9.0: the Helix Universal Proxy and prior RealSystem Server and Proxy software are not affected.
RealNetworks notes on its Web site it has received no reports that this vulnerability has been exploited in the field. It has made a security update available to customers -- 9.01 (18.104.22.1684).
With Helix, the normally proprietary-minded RealNetworks unleashed a bit of a frenzy in the open-source world months ago by pledging to make certain aspects of its code available to developers to test and tweak. The Seattle-based firm most recently released code for its Helix DNA Producer.