Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Re

from [Piotr Bania] Network Security [Permanent Link]
Subject: [Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory Corruption
Date: Fri, 26 Oct 2007 06:10:23 +0200 


 RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory 
Corruption
 by Piotr Bania <bania.piotr@gmail.com>
 http://www.piotrbania.com



 Original url (and formating):
 http://www.piotrbania.com/all/adv/realplayer-memory-corruption-adv.txt

 Severity:           Critical - Remote code execution.

 Software affected:  Tested on RealPlayer Version 10.5(newest?) + Harmony
Technology
                     Build: 6.0.12.1483


 Timeline:           02/09/2006 - Advisory sent to RealNetworks
                     05/09/2006 - Initial vendor response
                     25/10/2007 - Advisory released




 I.  BACKGROUND

 Real*Player* is surely one of the most popular media players nowadays
 with over a 200 million of users worldwide.


 II. DESCRIPTION


 The problem exists when Real*Player* parses a special crafted .mov file.
 Here is the vulnerable code:

 --//- snip ----//-----------------------------------------------------

 62448F24   8B4D E2          MOV ECX,DWORD PTR SS:[EBP-1E]     ; (*1)
 62448F27   8B45 DE          MOV EAX,DWORD PTR SS:[EBP-22]
 62448F2A   2BC1             SUB EAX,ECX    ; (*2)
 62448F2C   8B53 17          MOV EDX,DWORD PTR DS:[EBX+17]
 62448F2F   8D3401           LEA ESI,DWORD PTR DS:[ECX+EAX]
 62448F32   8975 FC          MOV DWORD PTR SS:[EBP-4],ESI
 62448F35   3932             CMP DWORD PTR DS:[EDX],ESI
 62448F37   0F82 C2000000    JB rvrender.62448FFF
 62448F3D   8B75 DD          MOV ESI,DWORD PTR SS:[EBP-23]
 62448F40   81E6 FF000000    AND ESI,0FF
 62448F46   3972 14          CMP DWORD PTR DS:[EDX+14],ESI
 62448F49   0F85 B0000000    JNZ rvrender.62448FFF
 62448F4F   8B75 DC          MOV ESI,DWORD PTR SS:[EBP-24]
 62448F52   81E6 FF000000    AND ESI,0FF
 62448F58   837CF2 10 00     CMP DWORD PTR DS:[EDX+ESI*8+10],0
 62448F5D   0F85 9C000000    JNZ rvrender.62448FFF
 62448F63   8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]
 62448F66   0377 04          ADD ESI,DWORD PTR DS:[EDI+4]
 62448F69   8B7A 04          MOV EDI,DWORD PTR DS:[EDX+4]      ; (*3)
 62448F6C   8BD1             MOV EDX,ECX
 62448F6E   03F8             ADD EDI,EAX                       ; (*4)
 62448F70   C1E9 02          SHR ECX,2
 62448F73   F3:A5            REP MOVSD                         ; memcpy()
(*5)

 --//- snip ----//-----------------------------------------------------


 Attacker controls the value of ECX registers initialized at 0x62448F24
(*1).
 This is very important since this values are future used with
initialization
 of EDI register (destination for memcpy() (*5)) and its also used as an
 size argument also for memcpy() (*5) operation.

 The content of EAX register seems to be a const value, equal to 0x326.
 It is transformed by sub operation in the following way: EAX = 0x326 -
ECX(*1).
 From this point the value of the EAX remains unchanged.

 At point (*3) you will see the initalization of EDI register, which will
now
 point somewhere inside allocated heap memory block (the size of the parent
 block seems to be always equal to 0xa8000). After the EDI initialization
 it is normalized with EAX value, created in point (*2).

 This leads to an obvious memory corruption, attacker can control ECX and
the
 EDI register, it means that he can control the destination and the size
 while coping the memory. This may lead to a potencial code execution
 on the vulnerable machine.


 III. IMPACT

 Successful exploitation may allow the attacker to run arbitrary code in
 context of user running Real*Player*.


 IV. POC CODE

 Due to severity of this bug i will not publish any poc codes.





best regards,
pb

-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory Corruption, Piotr Bania <=
Previous by Date:  Re: [Full-disclosure] Google Sacure, Michael Bann
Next by Date:  [Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Corruption, Piotr Bania
Previous by Thread:  [Full-disclosure] [ GLSA 200710-29 ] Sylpheed, Claws Mail: User-assisted remote execution of arbitrary code, Raphael Marichez
Next by Thread:  [Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Corruption, Piotr Bania
Indexes:  [Date] [Thread] [Top] [All Lists]