[NT] RealPlayer embd3260.dll Error Response Heap Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 06/14/04
- Previous message: SecuriTeam: "[NT] Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Jun 2004 12:25:55 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RealPlayer embd3260.dll Error Response Heap Overflow
------------------------------------------------------------------------
SUMMARY
eEye Digital Security has discovered a critical vulnerability in
RealPlayer. The vulnerability allows a remote attacker to reliably
overwrite heap memory with arbitrary data and execute arbitrary code in
the context of the user who executed the player or application hosting the
RealMedia plug-in.
This specific flaw exists within the embd3260.dll file used by RealPlayer.
By specially crafting a malformed movie file along with an HTML file, a
direct heap overwrite is triggered, and reliable code execution is then
possible.
DETAILS
Vulnerable Systems:
* RealOne Player
* RealOne Player v2
* RealPlayer 10
* RealPlayer 8
* RealPlayer Enterprise
The code in embd3260.dll among other things is responsible for crafting
error messages in RealPlayer. The vulnerability is triggered by crafting
a malformed movie which is then embedded into an HTML page, causing
RealPlayer to generate a error in the form of "mem://[address]/[movie file
name]", resulting in a heap overflow. A heap block is allocated to
contain the error message, but because of a flaw in how the buffer size is
calculated, an overflow will always happen. The following pseudo code
represents the vulnerable condition:
char *errormessage = new char[strlen(moviename)+10];
sprintf(errormessage, "mem://%08X/", address);
strcat(errormessage, moviename);
Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar. A link to their advisory can be found here:
<http://service.real.com/help/faq/security/040610_player/EN/>
http://service.real.com/help/faq/security/040610_player/EN/.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dsoeder@eEye.com> Derek
Soeder.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
