| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Apr 2005 07:08:47 +0200 From: Piotr Bania <bania.piotr@...il.com> To: SBUGTRAQ <bugtraq@...urityfocus.com>, FULLDISC <full-disclosure@...ts.grok.org.uk> Subject: RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow by Piotr Bania <bania.piotr@...il.com> http://pb.specialised.info Original location: http://pb.specialised.info/all/adv/real-ram-adv.txt Severity: Critical - Remote code execution. Software affected: (WINDOWS) RealPlayer 10.5 (6.0.12.1040 - 1059) RealPlayer 10 RealOne Player v2 RealOne Player v1 RealPlayer 8 RealPlayer Enterprise (MAC) Mac RealPlayer 10 (10.0.0.305 - 331) Mac RealOne Player (LINUX) Linux RealPlayer 10 (10.0.0 - 3) Helix Player (10.0.0 - 3) I. BACKGROUND Real*Player* is surely one of the most popular media players nowadays with over a 200 million of users worldwide. II. DESCRIPTION The problem exists when RealPlayer parses special crafted .ram file. Normaly .ram file looks like that: --CUT-- http://www.host.com/media/getmetafile.ram?pinfo=fid:2663610| \ bw:MULTI|mt:ro|mft:metafile|cr:1|refsite:276 --CUT-- this causes RealPlayer to contact "www.host.com" and try to download and play selected clip. The problem exists when host string is too long, like here: --CUT-- http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>. \ .org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \ mft:metafile|cr:1|refsite:276 --CUT-- While parsing such crafted .ram file heap memory is being corrupted at multiple locations, for example: FIRST HEAP CORRUPTION: ----// SNIP SNIP //-------------------------------------------- (MODULE PNEN3260) 01053089 76 0D JBE SHORT pnen3260.01053098 0105308B 8B53 15 MOV EDX,DWORD PTR DS:[EBX+15] 0105308E 890496 MOV DWORD PTR DS:[ESI+EDX*4],EAX<--- 01053091 8B43 15 MOV EAX,DWORD PTR DS:[EBX+15] 01053094 40 INC EAX 01053095 8943 15 MOV DWORD PTR DS:[EBX+15],EAX ----// SNIP SNIP //-------------------------------------------- THE FINAL HEAP OVERWRITE: ----// SNIP SNIP //--------------------------------------------- (MODULE PNCRT - PNCRT!strncpy+0x8b) 60A2FA59 8917 MOV DWORD PTR DS:[EDI],EDX 60A2FA5B 83C7 04 ADD EDI,4 60A2FA5E 49 DEC ECX 60A2FA5F ^74 AF JE SHORT PNCRT.60A2FA10 ----// SNIP SNIP //--------------------------------------------- In the following code EDI points to heap location, and EDX contains read bytes. Instruction at 60A2Fa59 writes value of EDX register into the location where EDI points (heap memory), this causes a heap memory corruption. III. IMPACT Successful exploitation may allow the attacker to run arbitrary code in context of user running RealPlayer. IV. VENDOR RESPONSE I would like to acknowledge the cooperation and responsiveness of the people at RealNetworks. Security patches are available at http://www.real.com. best regards, Piotr Bania -- -------------------------------------------------------------------- Piotr Bania - <bania.piotr@...il.com> - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://pb.specialised.info - Key ID: 0xBE43AC33 -------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists