[NEWS] RealPlayer PNG Deflate Heap Corruption Vulnerability

From: support@securiteam.com
Date: 03/29/03

  • Next message: support@securiteam.com: "[UNIX] Mod_Survey ENV Tag Security Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 29 Mar 2003 20:05:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      RealPlayer PNG Deflate Heap Corruption Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    RealPlayer is a popular program provided by RealNetworks, Inc. It is used
    to play live video and audio over the net. This program is able to play a
    great set of media file formats, between them is the PNG graphic file
    format. A vulnerability has been found in the way that RealPlayer
    decompress those files.

    If exploited, this vulnerability allows an attacker to execute arbitrary
    code and obtain a remote command shell with those privileges of the user
    running RealPlayer.

    DETAILS

    Vulnerable systems:
     * RealOne Player v2 (Win32) [versions: 6.0.11.x, where x = .818, .830,
    841, .853]
     * RealOne Player v1 (Win32) [version: 6.0.10.505]
     * RealOne Player for OS X [version: 9.0.0.297, 9.0.0.288]
     * RealPlayer 8/RealPlayer Plus 8 (Win32 & Mac OS 9) [version: 6.0.9.584
    (Win32 & Mac OS 9)]
     * RealOne Enterprise Desktop (Win32) [version: 6.0.11.774]

    Technical Description - Exploit/Concept Code:
    PNG files are compressed using the deflate algorithm. This algorithm is
    described in the RFC 1951 "DEFLATE Compressed Data Format Specification"
    (see [1]). The compression is performed by searching for repetitions of
    the same data block. When a repetition is found, a pair of length/offset
    codes is inserted in the output string instead of the data block. These
    codes indicate the distance (in bytes) of the beginning of the repeated
    block respect to the current position, and its length (in bytes).
    The algorithm can work in two modes, with fixed or dynamic Huffman trees.
    When fixed trees are used, a fixed alphabet of 288 symbols is used to
    represent literals and length codes. The RFC 1951 states:

       "...Literal/length values 286-287 will never actually occur in the
       compressed data, but participate in the code construction..."

    The problem we found in vulnerable implementations of the algorithm is
    that when one of those two codes 286-287 is found in the compressed data,
    a length of 2^32 bytes is assumed.

    A loop starts copying from the offset specified after the length code in
    the compressed bit stream. 2^32 bytes is larger than the size of the
    buffer and beyond the program address space and larger than the available
    memory, so the loop finally raises an exception when it reaches the end of
    the committed program memory. It allows an attacker to fill the program
    memory after the buffer with a given pattern. After the exception is
    raised, a free or malloc function can be abused to use the values in the
    corrupted heap memory to write any 32-bit value to any address in memory.
    In particular we can overwrite any function pointer (for example the
    unhandled exception filter) and control the program execution flow,
    allowing us to execute arbitrary code and obtain (for example) a remote
    command shell or a Core Impact agent with those privileges of the user
    running RealPlayer.

    This bug has been successfully exploited in RealOne Player 2.0 and a Core
    Impact's module has been made.

    Solution/Vendor Information/Workaround:
    RealNetworks provides security updates that fix this vulnerability in the
    following page:
    <http://service.real.com/help/faq/security/securityupdate_march2003.html>
    http://service.real.com/help/faq/security/securityupdate_march2003.html

    Vendors contacted:
    Core Notification: 2003-03-07
    Notification acknowledged by RealNetworks: 2003-03-11
    Fix provided by RealNetworks and tested by Core: 2003-03-13
    Release schedule of updates established: 2003-03-19
    Updates for Consumer Products released: 2003-03-27

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10>
    http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10

    References:
    [1] <http://www.w3.org/Graphics/PNG/RFC-1951>
    http://www.w3.org/Graphics/PNG/RFC-1951

    [2] <http://www.libpng.org/pub/png/pngdocs.html>
    http://www.libpng.org/pub/png/pngdocs.html

    [3] <http://www.eeye.com/html/Research/Advisories/AD20021211.html>
    http://www.eeye.com/html/Research/Advisories/AD20021211.html

    The information has been provided by <mailto:advisories@coresecurity.com>
    CORE Security Technologies Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[UNIX] Mod_Survey ENV Tag Security Vulnerability"

    Relevant Pages