[NEWS] RealPlayer pnen3260.dll Heap Overflow

• Previous message: SecuriTeam: "[UNIX] Samba Arbitrary File Access Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Oct 2004 14:09:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  RealPlayer pnen3260.dll Heap Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.realnetworks.com/products/media_players.html> RealPlayer is a
popular multimedia player developed by RealNetworks. One of its features
are RMP files, RealJukebox Metadata Packages. These are XML formatted
files which may contain e.g. playlists, references to skin files (*.rjs),
and information about related web pages.

A heap overflow vulnerability inside the shared library allows a remote
attacker to reliably overwrite heap memory with arbitrary data and execute
arbitrary code in the context of the user opening a crafted rm media file.

DETAILS

Vulnerable Systems:
 * RealPlayer 10.5 (6.0.12.1040 and earlier) for Windows
 * RealPlayer 10 for Windows
 * RealPlayer 8 (Local Playback) for Windows
 * RealOne Player V2 for Windows
 * RealOne Player V1 for Windows
 * RealPlayer 10 Beta for Mac OS X (Local Playback)
 * RealOne Player for Mac OS X (Local Playback)
 * Linux RealPlayer 10 (Local Playback)
 * Helix Player for Linux (Local Playback)

Immune Systems:
 * Updated versions of all products through the automatic update mechanism

By specially crafting a malformed .rm movie file along with a SMIL file, a
direct heap overwrite is triggered, and reliable code execution is then
possible. This is possible due to a problem in the pnen3260.dll library
used by the various affected products.

The code in pnen3260.dll among other things is responsible for handling
rm files. The vulnerability is triggered by setting the length field of
the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF. This will cause an
integer overflow which leads to a small block of memory being allocated.
The movie is called from a SMIL file to handle the initial exception,
eventually overflowing the buffer.

Vendor Status:
RealNetworks have released a fix for the vulnerability. It can be obtained
from their automatic update system. In order to access it, the Tools menu
contains the option to check for a new update.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mmaiffret@eeye.com> Marc
Maiffret - eEye Digital Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Samba Arbitrary File Access Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]