__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Real Networks Streaming Server Vulnerability
September 18, 2003 17:00 GMT Number N-152
______________________________________________________________________________
PROBLEM: CIAC has information that the Real Networks Helix Universal
Server and RealSystems Servers are vulnerable to a root
compromise.
SYSTEMS: Helix Universal Server 9.01, 9.0.2.794 RealSystem Server 8.0
and 7.0
DAMAGE: A carefully crafted request to the server could give an
intruder root access.
SOLUTION: Upgrade to Helix Universal Server 9.0.2.802 or remove the View
Source plugin from the plugins directory and restart the
server.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. A remote intruder can get root access.
ASSESSMENT:
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-152.shtml
ORIGINAL BULLETIN: NOTE: Original and an updated bulletin both included below
http://www.service.real.com/help/faq/security/rootexploit
082203.html
______________________________________________________________________________
[****** Start RealNetworks Bulletin 8/22/03 ******]
Server Exploit Vulnerability
Updated August 22, 2003
Helix Universal Server 9 and earlier versions (RealSystem Server 8, 7 and
RealServer G2) are vulnerable to a root exploit when certain types of character
strings appear in large numbers within URLs destined for the Server's protocol
parsers. RealNetworks Proxy products are not vulnerable to this exploit.
Solution:
This exploit solution updated September 11, 2003.
RealNetworks has verified that vulnerability to this exploit can be effectively
closed by removing the RealNetworks View Source plug-in from the /Plugins
directory and restarting the Server process.
* UNIX/Linux: vsrcplin.so.9.0 (Helix Universal Server), vsrcplin.so.6.0
(RealSystem Server 8 & 7, and RealServer G2).
* Windows: vsrc3260.dll
The View Source Plug-in is responsible for reading and displaying file format
headers of media files accessible to the file systems loaded by the Server.
Removal of this plug-in will not hinder on-demand or live streaming delivery
or logging and authentication services of the product. With the plug-in
removed however, the Content Browsing feature will be disabled.
RealNetworks considers the removal of the View Source Plug-in a work-around
for this issue, we will be making a new version of the Helix Universal Server
available to all current customers that resolves this problem and does not
require system administrators to remove any shipping components post
installation. Once the new version is available, RealNetworks will urge
customer to upgrade.
We want to thank those who posted information about this problem on
http://www.securityfocus.org/.
Warranty:
While RealNetworks endeavors to provide you with the highest quality products
and services, we cannot guarantee and do not warrant that the operation of any
RealNetworks product will be error-free, uninterrupted or secure. See your
original license agreement for details of our limited warranty or warranty
disclaimer.
[****** End RealNetworks Bulletin ******]
[****** Start RealNetworks Bulletin Updated 9/11/03 ******]
Server Exploit Fix
Updated September 11, 2003
On August 22, 2003 RealNetworks reported that Helix Universal Server 9 and
earlier versions (RealSystem Server 8, 7 and RealServer G2) were vulnerable to
a root exploit when certain types of character strings appeared in large numbers
within URLs destined for the Server's protocol parsers. RealNetworks Proxy products
were not vulnerable to this exploit.
Affected Software:
Helix Universal Server 9.01, versions 9.0.2.794 and earlier
RealSystem Server 8.0 & 7.0
Solution:
Customers are encouraged to upgrade their Server software to the latest version
which contains a security patch. On September 10, 2003 RealNetworks publicly
released new installation binaries that guard against improperly formed URL from
causing a buffer overrun within data structures that store resources file names
within the Server.
Helix Server customers are encouraged to upgrade to the latest version of the
Helix Universal Server. This will require reinstallation of the software, however,
all existing configuration settings (rmserver.cfg file) will function without
modification with this new build. (see notes below). Any previously provided and
current (non-expired) 9.0.x product license will enable this upgrade.
To preserve the Helix configuration file: The rmserver.cfg file will be renamed
"rmserver.cfg.bak" by the installer, and a new rmserver.cfg file will be installed.
In order to maintain your previous Helix Server configurations, you should rename
or discard the newly installed "rmserver.cfg" file, and rename "rmserver.cfg.bak"
to "rmserver.cfg". Execute or restart the Helix Server to read this configuration
information.
All actively supported Helix Universal Server platforms are available:
Compaq
FreeBSD
HP UX
IBM AIX
Linux
Sun Solaris 2.7
Sun Solaris 2.8
Windows
The latest version is:
Helix Universal Server 9.01 Security Update
Version: 9.0.2.802
Platform and configuration support details are available at
http://www.realnetworks.com/resources/contentdelivery/server/recommended_
platforms.html
If you are an Server 8.0x customer, please contact Customer Service. Server 7, 6
and G2 are not supported servers and have not been patched. Please contact sales
or Customer Service for information about upgrading.
Acknowledgement:
RealNetworks wishes to thank those who posted information about this problem on
http://www.securityfocus.com/.
Warranty:
While RealNetworks endeavors to provide you with the highest quality products
and services, we cannot guarantee and do not warrant that the operation of any
RealNetworks product will be error-free, uninterrupted or secure. See your
original license agreement for details of our limited warranty or warranty
disclaimer.
[****** End RealNetworks Bulletin ******]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of RealNetworks for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-142: Microsoft Word Macros Vulnerability
N-143: Microsoft WordPerfect Converter Buffer Overrun Vulnerability
N-144: Microsoft Visual Basic Buffer Overrun Vulnerability
N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability
N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities
N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE
N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon
N-149: Sendmail 8.12.9 Prescan Bug
N-150: Red Hat Updated KDE packages fix security issues
N-151: OpenSSH Buffer Management Error
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
