Vulnerabilities > CVE-2008-5911 - Buffer Errors vulnerability in Realnetworks Helix Server and Helix Server Mobile

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

realnetworks

CWE-119

critical

nessus

NVD

Published: 2009-01-20

Updated: 2011-03-08

Summary

Multiple buffer overflows in RealNetworks Helix Server and Helix Mobile Server 11.x before 11.1.8 and 12.x before 12.0.1 allow remote attackers to (1) cause a denial of service via three crafted RTSP SETUP commands, or execute arbitrary code via (2) an NTLM authentication request with malformed base64-encoded data, (3) an RTSP DESCRIBE command, or (4) a DataConvertBuffer request. Per: http://docs.real.com/docs/security/SecurityUpdate121508HS.pdf Impacted Products and Versions: Helix Server Version 11.x Helix Server Version 12.x Helix Mobile Server Version 11.x Helix Mobile Server Version 12.x Per: http://docs.real.com/docs/security/SecurityUpdate121508HS.pdf The Fix: Version 11.1.8 and Version 12.0.1 of the Helix Server and the Helix Mobile Server have been updated to ensure that the above vulnerabilities have been resolved. SOLUTION: The vulnerability is resolved on the following platforms by installing Version 11.1.8 or Version 12.0.1 of the Helix Server and the Helix Mobile Server. This only pertains to supported versions of the platforms listed below. The updated version will be available on your RealNetworks PAM site after 11:59 p.m. PST, on December 15, 2008.

Vulnerable Configurations

Part	Description	Count
Application	Realnetworks Realnetworks Helix Server 11.0 Realnetworks Helix Server 12.0.0 Realnetworks Helix Server Mobile 11.0 Realnetworks Helix Server Mobile 12.0.0	4

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Gain a shell remotely
NASL id	HELIX_SVR_REMOTE_CODE_EXEC.NASL
description	The remote host is running a version of RealNetworks Helix Server older than 11.1.8 / 12.0.1. Such versions are reportedly affected by multiple issues : - A vulnerability involving an RTSP
last seen	2020-06-01
modified	2020-06-02
plugin id	35555
published	2009-01-30
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/35555
title	RealNetworks Helix Server < 11.1.8/12.0.1 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35555); script_version ("1.9"); script_cve_id("CVE-2008-5911"); script_bugtraq_id(33059); script_xref(name:"Secunia", value:"33360"); script_name(english:"RealNetworks Helix Server < 11.1.8/12.0.1 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote media streaming server is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of RealNetworks Helix Server older than 11.1.8 / 12.0.1. Such versions are reportedly affected by multiple issues : - A vulnerability involving an RTSP 'DESCRIBE' request could allow an unauthenticated attacker to execute arbitrary code on the remote system. (ZDI-CAN-293) - By sending three specially crafted RTSP 'SETUP' requests it may be possible to crash the remote RTSP server. (ZDI-CAN-323) - A heap overflow vulnerability in 'DataConvertBuffer', could allow an unauthenticated attacker to execute arbitrary code on the remote system. (ZDI-CAN-333) - A heap overflow vulnerability in NTLM Authentication could allow an unauthenticated attacker to execute arbitrary code on the remote system. (ZDI-CAN-380)" ); script_set_attribute(attribute:"see_also", value:"http://docs.real.com/docs/security/SecurityUpdate121508HS.pdf" ); script_set_attribute(attribute:"solution", value: "Update to RealNetworks Helix Server 11.1.8 / 12.0.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2009/01/30"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks version of RealNetworks Helix Server"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencies("rtsp_detect.nasl"); script_require_ports("Services/rtsp", 554); exit(0); } include("global_settings.inc"); port = get_kb_item("Services/rtsp"); if ( ! port ) port = 554; if (!get_port_state(port)) exit(0); serv = get_kb_item(string("rtsp/server/",port)); if (!serv \|\| !ereg(pattern:"Helix (Mobile\|) *Server Version",string:serv)) exit(0); # Currently, versions 11.x ( < 11.1.8) and 12.x (< 12.0.1) are affected if ( ereg(pattern:"Version 11\.(0\.[0-9]\|1\.[0-7]($\|[^0-9]))", string:serv) \|\| ereg(pattern:"Version 12.0.0[^0-9]", string:serv) ) { if (report_verbosity) { report = string( '\n', 'The remote Helix server responded with the following banner :\n', '\n', ' ', serv,'\n' ); security_hole(port:port,extra:report); } else security_hole(port); }

Saint

bid	33059
description	RealNetworks Helix Server RTSP Proxy-Require heap overflow
id	misc_helixserver,misc_helixserverbo
title	helix_proxy_require
type	remote

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Saint

References