[NT] Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 06/14/04
- Previous message: SecuriTeam: "[NT] REAL One Player Code Execution Through Malformed Media File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Jun 2004 11:38:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
RealPlayer is "an application for playing various media formats, developed
by RealNetworks Inc". Remote exploitation of a buffer overflow in Version
10 of Real Networks' RealPlayer could allow execution of arbitrary
commands.
DETAILS
Vulnerable Systems:
* RealNetworks' RealPlayer 10 is confirmed vulnerable. Previous versions
of RealPlayer are also suspected to be vulnerable.
The vulnerability specifically exists in the handling of URLs with a large
number of period (".") characters. By creating a specially crafted
filename, it is possible to cause the execution of arbitrary code with the
permissions of the user that attempts to access it.
Analysis:
One method of exploiting this vulnerability is to place a .RAM file
(RealPlayer Presentation) containing a maliciously constructed URL on web
server and send e-mail to the target with a link containing the file.
It appears the vulnerability results from allocating an array of a fixed
size and then iterating through the URL looking for periods. As each one
is found, a pointer to it is stored in the array, and the current index is
incremented. No check seems to be done for writes to addresses outside the
array.
Vendor Status:
Real Networks recommends updating affected applications to the latest
version. Instructions for upgrading are contained in the vendor's security
advisory located at:
<http://service.real.com/help/faq/security/040610_player/EN/>
http://service.real.com/help/faq/security/040610_player/EN/.
Disclosure Timeline:
04/14/2004 - Exploit discovered by iDEFENSE
05/12/2004 - Initial vendor notification
05/12/2004 - iDEFENSE clients notified
05/13/2004 - Vendor response
06/10/2004 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> Greg MacManus (iDEFENSE Labs).
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] REAL One Player Code Execution Through Malformed Media File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
