Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] RealPlayer pnen3260.dll Heap Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] RealPlayer pnen3260.dll Heap Overflow
Date: 4 Oct 2004 14:09:43 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  RealPlayer pnen3260.dll Heap Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.realnetworks.com/products/media_players.html> RealPlayer is a 
popular multimedia player developed by RealNetworks. One of its features 
are RMP files, RealJukebox Metadata Packages. These are XML formatted 
files which may contain e.g. playlists, references to skin files (*.rjs), 
and information about related web pages.

A heap overflow vulnerability inside the shared library allows a remote 
attacker to reliably overwrite heap memory with arbitrary data and execute 
arbitrary code in the context of the user opening a crafted rm media file.

DETAILS

Vulnerable Systems:
 * RealPlayer 10.5 (6.0.12.1040 and earlier) for Windows
 * RealPlayer 10 for Windows
 * RealPlayer 8 (Local Playback) for Windows
 * RealOne Player V2 for Windows
 * RealOne Player V1 for Windows
 * RealPlayer 10 Beta for Mac OS X (Local Playback)
 * RealOne Player for Mac OS X (Local Playback)
 * Linux RealPlayer 10 (Local Playback)
 * Helix Player for Linux (Local Playback)

Immune Systems:
 * Updated versions of all products through the automatic update mechanism

By specially crafting a malformed .rm movie file along with a SMIL file, a 
direct heap overwrite is triggered, and reliable code execution is then 
possible. This is possible due to a problem in the pnen3260.dll library 
used by the various affected products.

The code in pnen3260.dll among other things is responsible for handling 
rm files. The vulnerability is triggered by setting the length field of 
the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF. This will cause an 
integer overflow which leads to a small block of memory being allocated. 
The movie is called from a SMIL file to handle the initial exception, 
eventually overflowing the buffer.

Vendor Status:
RealNetworks have released a fix for the vulnerability. It can be obtained 
from their automatic update system. In order to access it, the Tools menu 
contains the option to check for a new update.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mmaiffret@eeye.com> Marc 
Maiffret - eEye Digital Security.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] RealPlayer pnen3260.dll Heap Overflow, SecuriTeam <=
Previous by Date:  [UNIX] Samba Arbitrary File Access Vulnerability, SecuriTeam
Next by Date:  [EXPL] Microsoft SQL Server DoS, SecuriTeam
Previous by Thread:  [UNIX] Samba Arbitrary File Access Vulnerability, SecuriTeam
Next by Thread:  [EXPL] Microsoft SQL Server DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]