SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   RealServer Vendors:   RealNetworks
RealSystem Server and RealSystem Proxy Buffer Overflows May Let Remote Users Execute Arbitrary Code on the Server or Cause the Server to Crash
SecurityTracker Alert ID:  1003604
SecurityTracker URL:  http://securitytracker.com/id/1003604
CVE Reference:   CVE-2003-1117   (Links to External Site)
Updated:  May 20 2008
Original Entry Date:  Feb 20 2002
Impact:   Denial of service via network, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): RealSystem Server 6.x, 7.x and 8.x, RealSystem Proxy 8.x
Description:   A buffer overflow vulnerability was reported in RealSystem Server and RealSystem Proxy. A remote user may be able to execute arbitrary code on the server or cause the server to crash.

It is reported that RealSystem Server and RealSystem Proxy have a buffer overflow condition in the processing of URL errors. No further details were provided.

RealNetworks credits Tim Austwick from the QinetiQ Security Health Check Team with discovering this flaw.

Impact:   A remote user may be able to execute arbitrary code on the server or cause the server to crash.

[Editor's note: The vendor has not indicated the nature of the impact, but it is believed to include remote code execution.]

Solution:   A security update is available. RealNetworks has provided the following information:

If you are a current 8 customer, simply download an updated RealSystem Server or RealSystem Proxy. Choose from our current list of operating systems below. Use your current license key to install the updated package, which applies the fix for this exploit.

If you are a 6.x or 7.x customer, please contact Customer Service at the following number: 888-768-3248.

All actively supported RealSystem Server platforms will be made available. That list is:

Linux 2.0-libc6
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_linux-2.0-libc6-i386_servinst.bin
Solaris 2.7
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_servinst.bin
Solaris 2.8
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_servinst.bin
Windows NT 4.0 SP3+
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-servinst.exe
Windows 2000 Workstation/Server
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-servinst.exe
FreeBSD 3.0
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_freebsd-3.0-i386_servinst.bin
IBM AIX 4.3
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_aix-4.3-powerpc_servinst.bin
HP UX
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_hpux-11.0-parisc_servinst.bin
Compaq Tru64 v5.1
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_osf-5.1-alpha_servinst.bin


All actively supported RealSystem Proxy platforms will be made available. That list is:

Linux 2.0-libc6
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_linux-2.0-libc6-i386_prxyinst.bin
Solaris 2.7
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_prxyinst.bin
Solaris 2.8
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_prxyinst.bin
Windows NT 4.0 SP3+
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-proxinst.exe
Windows 2000 Workstation/Server
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-proxinst.exe
IBM AIX 4.3
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_aix-4.3-powerpc_prxyinst.bin
HP-UX
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_hpux-11.0-parisc_prxyinst.bin
Compaq Tru64 v5.1
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_osf-5.1-alpha_prxyinst.bin

Vendor URL:  www.service.real.com/help/faq/security/bufferoverflow.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (FreeBSD), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  RealSystem Server and Proxy Buffer Overflow Vulnerability


RealSystem Server and Proxy Buffer Overflow Vulnerability 

Updated February 19, 2002 

A vulnerability affecting RealSystem Server and RealSystem Proxy came to
the attention of RealNetworks on February 14, 2002. This vulnerability
involves a buffer overflow condition seen in URL error handling. 

Affected Software:

All versions of RealSystem Server 6.x, 7.x and 8.x
RealSystem Proxy 8.x

Solution:

Although RealNetworks has not received reports of any deployed
RealSystem Server or RealSystem Proxy being exploited by this
vulnerability, we have made a security update available to all current
RealSystem Server and RealSystem Proxy customers.

If you are a current 8 customer, simply download an updated RealSystem
Server or RealSystem Proxy. Choose from our current list of operating
systems below. Use your current license key to install the updated
package, which applies the fix for this exploit.

If you are a 6.x or 7.x customer, please contact Customer Service at the
following number: 888-768-3248.

All actively supported RealSystem Server platforms will be made
available. That list is:

     Linux 2.0-libc6  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_linux-2.0-libc6-i386_servinst.bin
     Solaris 2.7  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_servinst.bin
     Solaris 2.8  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_servinst.bin
     Windows NT 4.0 SP3+  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-servinst.exe
     Windows 2000 Workstation/Server  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-servinst.exe
     FreeBSD 3.0  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_freebsd-3.0-i386_servinst.bin
     IBM AIX 4.3  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_aix-4.3-powerpc_servinst.bin
     HP UX  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_hpux-11.0-parisc_servinst.bin
     Compaq Tru64 v5.1  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_osf-5.1-alpha_servinst.bin


All actively supported RealSystem Proxy platforms will be made
available. That list is: 

     Linux 2.0-libc6  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_linux-2.0-libc6-i386_prxyinst.bin
     Solaris 2.7  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_prxyinst.bin
     Solaris 2.8  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_sunos-5.7-sparc_prxyinst.bin
     Windows NT 4.0 SP3+  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-proxinst.exe
     Windows 2000 Workstation/Server  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_w32-vc5-proxinst.exe
     IBM AIX 4.3  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_aix-4.3-powerpc_prxyinst.bin
     HP-UX   
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_hpux-11.0-parisc_prxyinst.bin
     Compaq Tru64 v5.1  
http://docs.real.com/docs/servproxy801secupdate/v801-secupdt_osf-5.1-alpha_prxyinst.bin


Acknowledgement:

This vulnerability was found by Tim Austwick from the QinetiQ Security
Health Check Team. 

Warranty:

While RealNetworks endeavors to provide you with the highest quality
products and services, we cannot guarantee and do not warrant that the
operation of any RealNetworks product will be error-free, uninterrupted
or secure. See your original license agreement for details of our
limited warranty or warranty disclaimer. 


This information is available at:

http://www.service.real.com/help/faq/security/bufferoverflow.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC