Security hole in Helix Server
A buffer overflow can occur when the streaming Helix Server from Realnetworks processes modified data packets. The vulnerability could allow an un-authenticated remote attacker to gain root privileges to the server.
Attackers could make use of the vulnerability by sending a so-called DESCRIBE request with a very long value in the LoadTestPassword field of the packet to the server. Conversion will fail during internal processing and the output will be a negative value as error code, which, however, will not be checked ahead of further processing. The function will process this value as an unsigned integer, which thereby becomes very large. As the value has again been increased, the variable overflows and now contains only a fairly small value. As a consequence the function claims only a small buffer, into which, however, it copies an amount of data that is much too large.
As in its default setting Helix Server runs with root rights, attackers could have code injected through the hole executed with administrator rights and take control of the system. The vulnerability is present in Version 11.1.2 of Helix Server for Windows, Solaris and Linux. The new Version 11.1.3 is said to plug the security hole, but there is no link to it as yet on the vendor's homepage. Changing the version number from 1112 to 1113 in the download link will nonetheless allow one to get hold of the up-to-date version.
- Helix Server heap overflow, security alert by Evgeny Legerov
- Changelog of the patch Helix version management system