[UNIX] RealNetworks RealPlayer/HelixPlayer RealPix Format String

• Previous message: SecuriTeam: "[UNIX] Bugzilla Multiple Information Leak"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Oct 2005 16:09:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  RealNetworks RealPlayer/HelixPlayer RealPix Format String
------------------------------------------------------------------------

SUMMARY

 <http://www.real.com/> RealPlayer is "an application for playing various
media formats, developed by RealNetworks Inc".

Remote exploitation of a format string vulnerability in RealPix (.rp) file
format parser within various versions of RealNetworks Inc.'s RealPlayer
could allow attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Linux RealPlayer 10 versions 10.0.0 to 10.0.5
 * Helix Player versions 10.0.0 to 10.0.5

The vulnerability specifically exists because of the improper usage of a
formatted printing function. When a user specifies an invalid value for
the "timeformat" attribute describing a RealPix file, the data is passed
to the function.

The following stripped down .rp file is sufficient enough to trigger the
vulnerability:
   <imfl>
   <head
   title="iDEFENSE Labs RealPix Vulnerability"
   timeformat="%n%n%n%n%n%n"/>
   </imfl>

Exploitation allows for arbitrary code execution as the user who opened
the .rp file.

Exploitation requires an attacker to craft a malicious .rp file and
convince a user to open it. An attacker could also trick a user to load
the .rp file from a normal web page under the attacker's control; this is
possible if the user has configured their web browser to handle RealPlayer
formats automatically.

Workaround:
Filter .rp attachments at e-mail gateways. Educate users about the risks
of accepting files from untrusted individuals.

Vendor Status:
The vendor had released the following advisory for this vulnerability:
 <http://service.real.com/help/faq/security/050930_player/EN/>
http://service.real.com/help/faq/security/050930_player/EN/

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2710>
CAN-2005-2710

Disclosure Timeline:
 * 23.08.05 - Initial vendor notification
 * 02.09.05 - Initial vendor response
 * 30.09.05 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=311&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=311&type=vulnerabilities

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Bugzilla Multiple Information Leak"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]