=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN286
_____________________________________________________________________

DATE                      : 04/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running RealNetworks Helix server versions 12.x, 13.x, 14.x	,
                                 RealNetworks Helix Mobile Server Version 12.x, 13.x, 14.x .
======================================================================
http://docs.real.com/docs/security/SecurityUpdate033111HS.pdf
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=899
http://www.zerodayinitiative.com/advisories/ZDI-11-114
______________________________________________________________________

iDefense Security Advisory 03.31.10
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 31, 2010

I. BACKGROUND

Helix DNA Server is software that can play audio and video media in
various formats and stream them over a network. It is intended as a
largely free and open source digital media framework that runs on
numerous operating systems. The Helix DNA Server can support various
formats including RealVideo, RealAudio, and MP3.

II. DESCRIPTION

Remote exploitation of a stack buffer overflow vulnerability in
RealNetworks Inc.'s Helix DNA Server could allow an attacker to execute
arbitrary code with the privileges of the affected service. <BR> <BR>
The Helix DNA Server contains a vulnerability that can be triggered by
an unauthenticated attacker. The vulnerability results due to the
parsing of a certain type of Real Time Streaming Protocol (RTSP)
request specifying a large string. The vulnerable function may perform
a copy operation that results in the bounds of a stack buffer to be
overflown.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service. In order to exploit
this vulnerability, an attacker needs to be able to create a TCP
connection to port 554 on the targeted server. No authentication is
required.

IV. DETECTION

Helix Server and Helix Mobile Server versions 12.x, 13.x and 14.x are
vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

RealNetworks has released a patch which addresses this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.

http://docs.real.com/docs/security/SecurityUpdate033111HS.pdf

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-4596 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/17/2010  Initial Contact
12/03/2010  Initial Response
03/31/2010  Coordinated public disclosure.

IX. CREDIT

This vulnerability was reported to iDefense by defrost.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2011 Verisign

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice () idefense com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
  There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___________________________________________________________________________

ZDI-11-114: RealNetworks Helix Server x-wap-profile Format String Remote
Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-114

April 1, 2011

-- CVE ID:
CVE-2010-4235

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
RealNetworks

-- Affected Products:
RealNetworks Helix Server

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10863.
For further product information on the TippingPoint IPS, visit:

     http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Helix Server products. Authentication is not
required to exploit this vulnerability.

The specific flaw exists within the rmserver.exe process. This process
is active by default on all Helix Server installations. Due to a failure
to properly sanitize the contents of the 'x-wap-profile' header, it is
possible to provide malicious data that is passed directly to a format
string function. Remote attackers could leverage this vulnerability to
execute arbitrary code under the context of the SYSTEM user.

-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:

http://www.realnetworks.com/helix-support/security-updates.aspx

-- Disclosure Timeline:
2010-10-02 - Vulnerability reported to vendor
2011-04-01 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
     * defrost

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

     http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

     http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

     http://twitter.com/thezdi


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================