Buffer Overruns Found in Real’s Helix Server

A security consultant has found a few high-risk buffer overruns in RealNetworks’ Helix
Universal Server 9.0
which could allow attackers to run code of their
own choosing on a user’s machine.

Mark Litchfield, of U.K.-based NGSSoftware, published his report
Friday — one day after RealNetworks confirmed the vulnerabilities and
issued new server installation binaries that contain remedies to the
potential buffer overrun vulnerabilities. Vulnerable systems include
Windows, FreeBSD, HP-UX, AIX, Linux, Sun Solaris 2.7 & 2.8.

“As far as any users of Helix goes, I personally would regard this as
critical, as anyone exploiting these vulnerabilities can completely
compromise the server and do exactly as they choose,” Litchfield told internetnews.com.

Common in applications written in C/C++, buffer overruns are attacks in which
a malicious user exploits an unchecked buffer in a program and overwrites
the program code with their own data. If the program code is overwritten
with new executable code, the effect is to change the program’s operation as
dictated by the attacker. If overwritten with other data, the likely effect
is to cause the program to crash.

In the most serious Helix Universal Server 9.0 flaw, an overflow will occur overwriting the saved return address on the stack if an overly long character string within the
Transport field of a SETUP RSTP request to a Helix server is supplied. On a
Windows box, the Helix server is installed by default as a system service.
Therefore, exploitation of this vulnerability would result in a complete
server compromise, with supplied code executing in the security context of
SYSTEM. The impact of these vulnerabilities on UNIX based platforms was not
tested, Litchfield said, though they are vulnerable.

In another flaw, an attacker can run code of their choosing by making two
HTTP requests (port 80) containing long URI’s simultaneously, (in making the
first connection, it will appear to hang, by keeping this session open and
making another connection and supplying the same request again ), will cause
the saved return address to also be overwritten. In yet another flaw, a
perpetrator can overwrite the saved return address allowing the execution of
code by supplying a very long URL in the Describe field.

According to RealNetworks, the only RealNetworks Server product impacted by
these security vulnerabilities is the Helix Universal Server version 9.0:
the Helix Universal Proxy and prior RealSystem Server and Proxy software are
not affected.

RealNetworks said on its Web site it has received no reports that this
vulnerability has been exploited in the field and that it has made a security update available to customers — 9.01 (

With Helix, the normally proprietary-minded RealNetworks unleashed a bit of
a frenzy in the open-source
months ago by pledging to make certain aspects of its code
available to developers to test and tweak. The Seattle-based firm most
recently released code
for its Helix DNA Producer.

News Around the Web