SecurityTracker: (Vendor Issues Fix) Re: Helix Universal Server and RealServer URL Parsing Flaw in View Source Plug-in Lets Remote Users Execute Arbitrary Code With Root Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Multimedia) > Helix Universal Server

Vendors: RealNetworks

(Vendor Issues Fix) Re: Helix Universal Server and RealServer URL Parsing Flaw in View Source Plug-in Lets Remote Users Execute Arbitrary Code With Root Privileges

SecurityTracker Alert ID: 1007692

SecurityTracker URL: http://securitytracker.com/id/1007692

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Sep 13 2003

Impact: Execution of arbitrary code via network, Root access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 9.0.2.794 and prior versions

Description: A vulnerability was reported in the RealNetworks Helix Universal Server version 9 and prior versions. A remote user can execute arbitrary code with root privileges.

It is reported that a remote user can request a URL containing large numbers of certain character strings to cause the server to execute arbitrary code. The flaw reportedly resides in the protocol parsers.

According to the vendor, the RealNetworks Proxy products are not affected.

Impact: A remote user can execute arbitrary code with root privileges.

Solution: The vendor has issued a fix. The vendor reports that upgrading requires reinstallation of the software, and that any previously provided and current (non-expired) 9.0.x product license will enable this upgrade.

See the vendor's advisory for details about the upgrade.

Upgrades for all actively supported Helix Universal Server platforms are available:

Compaq:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Compaq+Tru64+5.1+%26+5.1A&product=Helix+Universal+Server&progra

FreeBSD:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=FreeBSD+4.0+%26+4.5&product=Helix+Universal+Server&program=basi

HP UX:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=HP+UX+11.0+%26+11.i&product=Helix+Universal+Server&program=basi

IBM AIX:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=IBM+AIX+4.3+%26+5L&product=Helix+Universal+Server&program=basic

Linux:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Linux+version+2.4.18&product=Helix+Universal+Server&program=bas

Sun Solaris 2.7:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Sun+Solaris+2.7&product=Helix+Universal+Server&program=basic&

Sun Solaris 2.8:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Sun+Solaris+2.8&product=Helix+Universal+Server&program=basic&

Windows:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Windows+NT+4.0+%26+2000&product=Helix+Universal+Server&program=p

The latest version is:

Helix Universal Server 9.01 Security Update
Version: 9.0.2.802

Platform and configuration support details are available at

http://www.realnetworks.com/resources/contentdelivery/server/recommended_platforms.html

Server 8.0x customers should contact Customer Service for upgrade information:

http://service.real.com/helix/

The vendor notes that Server 7, 6 and G2 are not supported servers and have not been patched.

Vendor URL: www.service.real.com/help/faq/security/rootexploit091103.html (Links to External Site)

Cause: Not specified

Underlying OS: Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History: This archive entry is a follow-up to the message listed below.

Helix Universal Server and RealServer URL Parsing Flaw in View Source Plug-in Lets Remote Users Execute Arbitrary Code With Root Privileges

Source Message Contents

Date: Fri, 12 Sep 2003 20:13:47 -0400
Subject: http://www.service.real.com/help/faq/security/rootexploit091103.html


 > Server Exploit Fix
 >
 > Updated September 11, 2003


 > Affected Software:
 >
 > Helix Universal Server 9.01, versions 9.0.2.794 and earlier
 > RealSystem Server 8.0 & 7.0

RealNetworks issue a fix for a previously reported vulnerability in the Helix Universal 
Server (and RealSystem Server and RealServer).

The vendor reports that upgrading requires reinstallation of the software, and that any 
previously provided and current (non-expired) 9.0.x product license will enable this upgrade.

See the vendor's advisory for details about the upgrade.

Upgrades for all actively supported Helix Universal Server platforms are available:

Compaq:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Compaq+Tru64+5.1+%26+5.1A&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

FreeBSD:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=FreeBSD+4.0+%26+4.5&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

HP UX:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=HP+UX+11.0+%26+11.i&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

IBM AIX:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=IBM+AIX+4.3+%26+5L&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

Linux:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Linux+version+2.4.18&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

Sun Solaris 2.7:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Sun+Solaris+2.7&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

Sun Solaris 2.8:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Sun+Solaris+2.8&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

Windows:

http://forms.real.com/rnforms/products/servers/download/download.final.html?platform=Windows+NT+4.0+%26+2000&product=Helix+Universal+Server&program=basic&version=Helix+Universal+Server

The latest version is:

Helix Universal Server 9.01 Security Update
Version: 9.0.2.802

Platform and configuration support details are available at

http://www.realnetworks.com/resources/contentdelivery/server/recommended_platforms.html

Server 8.0x customers should contact Customer Service for upgrade information:

http://service.real.com/helix/

The vendor notes that Server 7, 6 and G2 are not supported servers and have not been patched.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC