Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability
Date: 27 Jun 2007 10:46:37 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow 
Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://www.real.com/realplayer.html> RealPlayer is "an application for 
playing various media formats, developed by RealNetworks Inc. HelixPlayer 
is the open source version of RealPlayer". Synchronized Multimedia 
Integration Language ( 
<http://en.wikipedia.org/wiki/Synchronized_Multimedia_Integration_Language> 
SMIL) is "a markup language used to specify the use of several multi-media 
concepts when rendering media. Some such concepts are timing, transitions, and 
embedding". Remote exploitation of a buffer overflow within RealNetworks' 
RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the 
context of the user.

DETAILS

Vulnerable Systems:
 * RealNetworks' RealPlayer and HelixPlayer version 10.5-GOLD

Immune Systems:
 *

The issue specifically exists in the handling of HH:mm:ss.f time formats 
by the 'wallclock' functionality within the code supporting SMIL2. An 
excerpt from the code follows.

   924    HX_RESULT
   925    SmilTimeValue::parseWallClockValue(REF(const char*) pCh)
   926    {
   ...
   957        char buf[10]; /* Flawfinder: ignore */
   ...
   962        while (*pCh)
   963        {
   ...
   972             else if (isspace(*pCh) || *pCh == '+' || *pCh == '-' || 
*pCh == 'Z')
   973             {
   974                 // this will find the last +, - or Z... which is 
what we want.
   975                 pTimeZone = pCh;
   976             }
   ...
   982             ++pCh;
   983        }
   ...
  1101        if (pTimePos)
  1102        {
  1103        //HH:MM...
  ....
  1133          if (*(pos-1) == ':')
  1134          {
  ....
  1148            if (*(pos-1) == '.')
  1149            {
  1150            // find end.
  1151            UINT32 len = 0;
  1152            if (pTimeZone)
  1153            {
  1154                len = pTimeZone - pos;
  1155            }
  1156            else
  1157            {
  1158                len = end - pos;
  1159            }
  1160            strncpy(buf, pos, len); /* Flawfinder: ignore */

The stack buffer is declared to be 10 bytes on line 957. You can see that 
it has a comment which will cause the FlawFinder program to ignore this 
buffer.

The loop, which begins on line 962, runs through the parameter to the 
function looking for characters that denote different sections of the time 
format. When it encounters white space, or the +, -, or Z characters it 
will record the location for later use. If a time was located and it 
contains both a colon and a period the vulnerable code will be reached.

The length of data to copy into the stack buffer is calculated either on 
line 1154 or line 1158 depending on whether or not a timezone is present. 
Neither calculations take into consideration the constant length of the 
'buf' buffer and therefore a stack-based buffer overflow can occur on line 
1160. Again, notice that this unsafe use of strncpy() is also marked with 
a FlawFinder ignore comment.

Analysis:
Exploitation requires that an attacker persuade a user to supply 
RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For 
example, this can be accomplished by convincing them to visit a malicious 
web page.

The data that is used to overflow the buffer is quite limited in the range 
of characters that are allowed. However, given the ease of address space 
manipulation within web browsers, exploitation is not substantially 
impacted by this limitation.

The RealPlayer plug-in can be referenced within a web browser by using 
CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA CLSID.

Workaround:
For Windows systems, setting the kill-bit for the associated CLSID, 
despite greatly reducing the media player's functionality, will mitigate 
exploitation. It should be noted that the CLSID listed may not be the only 
CLSID allowing access to the vulnerable code.

Vendor response:
RealNetworks has addressed this vulnerability by releasing fixed versions 
of their software.

RealNetworks has not provided iDefense with any links referring to updated 
packages or advisories. Installing the latest version from their web site 
will address the vulnerability.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3410> 
CVE-2007-3410

Disclosure Timeline:
10/02/2006 - Initial vendor notification
10/03/2006 - Initial vendor response
06/26/2007 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [UNIX] Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability, SecuriTeam
Next by Date:  [NEWS] CheckPoint VPN-1 UTM Edge Cross Site Request Forgery Vulnerability, SecuriTeam
Previous by Thread:  [UNIX] Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability, SecuriTeam
Next by Thread:  [NEWS] CheckPoint VPN-1 UTM Edge Cross Site Request Forgery Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]