[NEWS] Buffer Overflow Vulnerability In RealPlayer
From: SecuriTeam (support_at_securiteam.com)
Date: 03/07/05
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Mar 2005 10:23:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow Vulnerability In RealPlayer
------------------------------------------------------------------------
SUMMARY
<http://www.real.com/> RealPlayer is an application for playing various
media formats, developed by RealNetworks Inc.
Real Player is vulnerable to a stack-based buffer overflow vulnerability
in the The Synchronized Multimedia Integration Language (smil) file format
parser. This could allow a malicious attacker to run arbitrary code on a
vulnerable machine.
DETAILS
Vulnerable Systems:
* Windows RealPlayer 10.5 (6.0.12.1040-1056)
* Windows RealPlayer 10
* Windows RealOne Player v2 (6.0.11.853 - 872)
* Windows RealOne Player v2 (6.0.11.818 - 840)
* Windows RealOne Player v1
* Windows RealPlayer 8
* Windows RealPlayer Enterprise
* Mac RealPlayer 10 (10.0.0.305 - 325)
* Mac RealOne Player
* Linux RealPlayer 10
* Linux Helix Player
Exploitation requires an attacker to craft a malicious .smil and convince
a user to open it. An attacker could also force a web browser to refresh
and automatically load the .smil file from a normal web page under the
attacker's control. In default installations of RealPlayer under Windows,
Internet Explorer will not prompt the user for an action when encountering
a .smil file. It will open it without delay, thus allowing a more
effective method of exploitation.
Vulnerable code:
datatype/smil/renderer/smil1/smlparse.cpp
CSmil1Parser::testAttributeFailed(SMIL1Node* pNode)
line 2878
***
if(HXR_OK == rc)
{
UINT32 ulScreenHeight = 0;
UINT32 ulScreenWidth = 0;
const char* pScreenSize = (const char*)pBuf->GetBuffer();
// format is screen-height "X" screen-width
char tmp[256]; /* Flawfinder: ignore */
strcpy(tmp, pScreenSize); /* Flawfinder: ignore */
***
The pBuf object's datapointer (which is what GetBuffer uses internally) is
pointing at the screen-size attribute in the user-supplied smil file.
This allows a fixed stack buffer to be overwritten with user-supplied
data. An attacker could use this stack overwrite to manipulate a saved
return address or Structured Exception Handler, allowing for arbitrary
code execution.
In order to trigger this vulnerability, one would need an otherwise valid
smil file with the following line added in an appropriate section:
Note that "LONGSTRING" should be more than 256 bytes in order to cause
stack corruption.
Disclosure Timeline:
01/14/2005 Initial vendor notification
01/19/2005 Initial vendor response
03/01/2005 Coordinated public disclosure
Vendor Status:
To keep up to date with the vulnerability see also:
<http://service.real.com/help/faq/security/050224_player/EN/>
http://service.real.com/help/faq/security/050224_player/EN/
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> idlabs-advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
