In association with heise online

21 March 2007, 11:24

Security hole in Helix Server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A buffer overflow can occur when the streaming Helix Server from Realnetworks processes modified data packets. The vulnerability could allow an un-authenticated remote attacker to gain root privileges to the server.

Attackers could make use of the vulnerability by sending a so-called DESCRIBE request with a very long value in the LoadTestPassword field of the packet to the server. Conversion will fail during internal processing and the output will be a negative value as error code, which, however, will not be checked ahead of further processing. The function will process this value as an unsigned integer, which thereby becomes very large. As the value has again been increased, the variable overflows and now contains only a fairly small value. As a consequence the function claims only a small buffer, into which, however, it copies an amount of data that is much too large.

As in its default setting Helix Server runs with root rights, attackers could have code injected through the hole executed with administrator rights and take control of the system. The vulnerability is present in Version 11.1.2 of Helix Server for Windows, Solaris and Linux. The new Version 11.1.3 is said to plug the security hole, but there is no link to it as yet on the vendor's homepage. Changing the version number from 1112 to 1113 in the download link will nonetheless allow one to get hold of the up-to-date version.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit