__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  Real Networks Streaming Server Vulnerability

September 18, 2003 17:00 GMT                                      Number N-152
______________________________________________________________________________
PROBLEM:       CIAC has information that the Real Networks Helix Universal 
               Server and RealSystems Servers are vulnerable to a root 
               compromise. 
SYSTEMS:       Helix Universal Server 9.01, 9.0.2.794 RealSystem Server 8.0 
               and 7.0 
DAMAGE:        A carefully crafted request to the server could give an 
               intruder root access. 
SOLUTION:      Upgrade to Helix Universal Server 9.0.2.802 or remove the View 
               Source plugin from the plugins directory and restart the 
               server. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. A remote intruder can get root access. 
ASSESSMENT:                                                                   
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-152.shtml 
 ORIGINAL BULLETIN:  NOTE: Original and an updated bulletin both included below                                                         
                     http://www.service.real.com/help/faq/security/rootexploit
                     082203.html 
______________________________________________________________________________

[******  Start RealNetworks Bulletin 8/22/03 ******]


Server Exploit Vulnerability

Updated August 22, 2003

Helix Universal Server 9 and earlier versions (RealSystem Server 8, 7 and 
RealServer G2) are vulnerable to a root exploit when certain types of character 
strings appear in large numbers within URLs destined for the Server's protocol 
parsers. RealNetworks Proxy products are not vulnerable to this exploit.

Solution:

This exploit solution updated September 11, 2003.

RealNetworks has verified that vulnerability to this exploit can be effectively 
closed by removing the RealNetworks View Source plug-in from the /Plugins 
directory and restarting the Server process.

* UNIX/Linux: vsrcplin.so.9.0 (Helix Universal Server), vsrcplin.so.6.0 
  (RealSystem Server 8 & 7, and RealServer G2).

* Windows: vsrc3260.dll 

The View Source Plug-in is responsible for reading and displaying file format 
headers of media files accessible to the file systems loaded by the Server. 
Removal of this plug-in will not hinder on-demand or live streaming delivery 
or logging and authentication services of the product. With the plug-in 
removed however, the Content Browsing feature will be disabled.

RealNetworks considers the removal of the View Source Plug-in a work-around 
for this issue, we will be making a new version of the Helix Universal Server 
available to all current customers that resolves this problem and does not 
require system administrators to remove any shipping components post 
installation. Once the new version is available, RealNetworks will urge 
customer to upgrade.

We want to thank those who posted information about this problem on 
http://www.securityfocus.org/.

Warranty:

While RealNetworks endeavors to provide you with the highest quality products 
and services, we cannot guarantee and do not warrant that the operation of any 
RealNetworks product will be error-free, uninterrupted or secure. See your 
original license agreement for details of our limited warranty or warranty 
disclaimer.

 [******  End RealNetworks Bulletin ******]

 
 [******  Start RealNetworks Bulletin Updated 9/11/03 ******]
 
Server Exploit Fix

Updated September 11, 2003

On August 22, 2003 RealNetworks reported that Helix Universal Server 9 and 
earlier versions (RealSystem Server 8, 7 and RealServer G2) were vulnerable to 
a root exploit when certain types of character strings appeared in large numbers 
within URLs destined for the Server's protocol parsers. RealNetworks Proxy products 
were not vulnerable to this exploit.

Affected Software:

Helix Universal Server 9.01, versions 9.0.2.794 and earlier
RealSystem Server 8.0 & 7.0

Solution:

Customers are encouraged to upgrade their Server software to the latest version 
which contains a security patch. On September 10, 2003 RealNetworks publicly 
released new installation binaries that guard against improperly formed URL from 
causing a buffer overrun within data structures that store resources file names 
within the Server.

Helix Server customers are encouraged to upgrade to the latest version of the 
Helix Universal Server. This will require reinstallation of the software, however, 
all existing configuration settings (rmserver.cfg file) will function without 
modification with this new build. (see notes below). Any previously provided and 
current (non-expired) 9.0.x product license will enable this upgrade.

To preserve the Helix configuration file: The rmserver.cfg file will be renamed 
"rmserver.cfg.bak" by the installer, and a new rmserver.cfg file will be installed. 
In order to maintain your previous Helix Server configurations, you should rename 
or discard the newly installed "rmserver.cfg" file, and rename "rmserver.cfg.bak" 
to "rmserver.cfg". Execute or restart the Helix Server to read this configuration 
information.

All actively supported Helix Universal Server platforms are available:

Compaq 
FreeBSD 
HP UX 
IBM AIX 
Linux 
Sun Solaris 2.7 
Sun Solaris 2.8 
Windows 
The latest version is:

Helix Universal Server 9.01 Security Update
Version: 9.0.2.802


Platform and configuration support details are available at

http://www.realnetworks.com/resources/contentdelivery/server/recommended_
platforms.html

If you are an Server 8.0x customer, please contact Customer Service. Server 7, 6 
and G2 are not supported servers and have not been patched. Please contact sales 
or Customer Service for information about upgrading.

Acknowledgement:

RealNetworks wishes to thank those who posted information about this problem on 
http://www.securityfocus.com/.

Warranty:

While RealNetworks endeavors to provide you with the highest quality products 
and services, we cannot guarantee and do not warrant that the operation of any 
RealNetworks product will be error-free, uninterrupted or secure. See your 
original license agreement for details of our limited warranty or warranty 
disclaimer.


[******  End RealNetworks Bulletin ******]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of RealNetworks for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-142: Microsoft Word Macros Vulnerability
N-143: Microsoft WordPerfect Converter Buffer Overrun Vulnerability
N-144: Microsoft Visual Basic Buffer Overrun Vulnerability
N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability
N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities
N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE
N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon
N-149: Sendmail 8.12.9 Prescan Bug
N-150: Red Hat Updated KDE packages fix security issues
N-151: OpenSSH Buffer Management Error