Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] RealNetworks RealPlayer RealText Parsing Heap Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] RealNetworks RealPlayer RealText Parsing Heap Overflow
Date: 27 Jun 2005 12:07:49 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  RealNetworks RealPlayer RealText Parsing Heap Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.real.com/player/?src=realplayer> RealPlayer is "a popular 
media player".

Remote exploitation of a heap-based buffer overflow vulnerability in the 
RealText file format parser within various versions of  RealPlayer could 
allow attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * RealPlayer version 10.5 6.0.12.1056
 * RealPlayer version 10 and 10.0.1.436

It is suspected that previous versions of RealPlayer are also vulnerable. 
It is also suspected that RealOne player is vulnerable.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1277> 
CAN-2005-1277

Vulnerable Code:
The vulnerability specifically exists because of a string copying 
operating into a fixed size heap buffer using the sprintf function. The 
following function from /datatype/text/realtext/fileformat/rtffplin.cpp is 
the offending code:

STDMETHODIMP CRealTextFileFormat::ReadDone()
[...]
                 if (pErrorMessages)
                 {
                    const char* pFilename = "[rt file]";
                    if(m_pFileObject)
                    {
                         m_pFileObject->GetFilename(pFilename);
                    }
                    char* pTmp;
                    pTmp = new char[256];
                    sprintf(pTmp,  /* Flawfinder: ignore */

                     "Version in \"%s\" is not recognized installed"

                     " RealText file format",pFilename);
                    pErrorMessages->Report(HXLOG_ERR,
                                      HXR_INVALID_VERSION,
                                      0, (const char*) pTmp, NULL);
                    HX_RELEASE(pErrorMessages);
                    delete [] pTmp;
                 }
[...]

The variable pTmp points to 256 bytes of space on the heap. pFilename is a 
string pointer that points to data supplied in the RealText stream. When 
the sprintf is executed, the data is copied into the 256 byte heap buffer 
without any length checking, thus allowing a heap overflow to occur. Once 
the heap is overflown, an attacker can eventually write to arbitrary 
locations in memory, allowing for the execution of arbitrary code.

Exploitation allows for arbitrary code execution as the user who opened 
the RealMedia file. Exploitation requires an attacker to craft a malicious 
RealMedia file that uses RealText and convince a user to open it. An 
attacker could also force a web browser to refresh and automatically load 
the RealMedia file from a normal web page under the attacker's control.

In default installations of RealPlayer under Windows XP, Internet Explorer 
will not prompt the user for an action when encountering most RealMedia 
files. It will open the file without delay, thus providing an effective 
method of exploitation.

Workaround:
Although there is no way to completely protect yourself from this 
vulnerability, aside from removing the RealPlayer software, the following 
actions may be taken to minimize risk for automated exploitation. Disable 
ActiveX controls and plugins, if not necessary for daily operations, using 
the following steps:

1. In IE, click on Tools and select Internet Options from the drop-down 
menu.
2. Click the Security tab and the Custom Level button.
3. Under ActiveX Controls and Plugins, then Run Activex Controls and 
Plugins, click the Disable radio button.

Vendor Status:
The vendor has addressed this issue in the following security advisory. 
The patch can be found at:  
<http://service.real.com/help/faq/security/050623_player/EN/> 
http://service.real.com/help/faq/security/050623_player/EN/

Disclosure Timeline:
04/26/2005 - Initial vendor notification
04/26/2005 - Initial vendor response
06/23/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:iDEFENSE> 
idlabs-advisories@idefense.com.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=250&type=vulnerabilities> 
www.idefense.com/application/poi/display?id=250&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] RealNetworks RealPlayer RealText Parsing Heap Overflow, SecuriTeam <=
Previous by Date:  [NT] Veritas Backup Multiple Vulnerabilities (Multiple DoS, Buffer Overflow, Remote Access), SecuriTeam
Next by Date:  [EXPL] TCP-IP Datalook DoS Vulnerability (Exploit), SecuriTeam
Previous by Thread:  [NT] Veritas Backup Multiple Vulnerabilities (Multiple DoS, Buffer Overflow, Remote Access), SecuriTeam
Next by Thread:  [EXPL] TCP-IP Datalook DoS Vulnerability (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]