[NEWS] RealPlayer pnen3260.dll Heap Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

  • Next message: SecuriTeam: "[EXPL] Microsoft SQL Server DoS"
    To: list@securiteam.com
    Date: 4 Oct 2004 14:09:43 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      RealPlayer pnen3260.dll Heap Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.realnetworks.com/products/media_players.html> RealPlayer is a
    popular multimedia player developed by RealNetworks. One of its features
    are RMP files, RealJukebox Metadata Packages. These are XML formatted
    files which may contain e.g. playlists, references to skin files (*.rjs),
    and information about related web pages.

    A heap overflow vulnerability inside the shared library allows a remote
    attacker to reliably overwrite heap memory with arbitrary data and execute
    arbitrary code in the context of the user opening a crafted rm media file.

    DETAILS

    Vulnerable Systems:
     * RealPlayer 10.5 (6.0.12.1040 and earlier) for Windows
     * RealPlayer 10 for Windows
     * RealPlayer 8 (Local Playback) for Windows
     * RealOne Player V2 for Windows
     * RealOne Player V1 for Windows
     * RealPlayer 10 Beta for Mac OS X (Local Playback)
     * RealOne Player for Mac OS X (Local Playback)
     * Linux RealPlayer 10 (Local Playback)
     * Helix Player for Linux (Local Playback)

    Immune Systems:
     * Updated versions of all products through the automatic update mechanism

    By specially crafting a malformed .rm movie file along with a SMIL file, a
    direct heap overwrite is triggered, and reliable code execution is then
    possible. This is possible due to a problem in the pnen3260.dll library
    used by the various affected products.

    The code in pnen3260.dll among other things is responsible for handling
    rm files. The vulnerability is triggered by setting the length field of
    the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF. This will cause an
    integer overflow which leads to a small block of memory being allocated.
    The movie is called from a SMIL file to handle the initial exception,
    eventually overflowing the buffer.

    Vendor Status:
    RealNetworks have released a fix for the vulnerability. It can be obtained
    from their automatic update system. In order to access it, the Tools menu
    contains the option to check for a new update.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mmaiffret@eeye.com> Marc
    Maiffret - eEye Digital Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Microsoft SQL Server DoS"

    Relevant Pages

    • [UNIX] RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap Overflow ... The vulnerability specifically exists in the handling of the 'chunked' ...
      (Securiteam)
    • [NEWS] RealPlayer Data Packet Stack Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * RealPlayer version 10 for Windows ...
      (Securiteam)
    • [NT] RealPlayer vidplin.dll AVI Processing Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in RealPlayer for Windows allows a remote attacker to ... reliably overwrite heap memory with arbitrary data and execute arbitrary ... RealPlayer calls upon a specific DLL, vidplin.dll, where the vulnerability ...
      (Securiteam)
    • [NT] Directory Traversal In RealPlayer Allows Code Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * RealPlayer 10 Beta ... The RMP file may contain references to a number of files as tags. ... An attacker may use "..\" sequences in the file name to cause the skin ...
      (Securiteam)
    • [NT] RealPlayer Miscellaneous Vulnerabilities (RMP, RJS)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Two vulnerabilities have been discovered in RealPlayer that potentially be ... the Real Metadata Package File Deletion vulnerability to reliably delete ... the file name to break out of the download directory, ...
      (Securiteam)