lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3E8439C8.3050400@coresecurity.com>
Date: Fri, 28 Mar 2003 09:02:16 -0300
From: CORE Security Technologies Advisories <advisories@...esecurity.com>
To: Bugtraq <bugtraq@...urityfocus.com>, vulnwatch@...nwatch.org
Subject: CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability


                         Core Security Technologies Advisory
                             http://www.coresecurity.com

                 RealPlayer PNG deflate heap corruption vulnerability


Date Published: 2003-03-28

Last Update: 2003-03-27

Advisory ID: CORE-2003-0306

Bugtraq ID: 7177

CVE Name: CAN-2003-0141

CERT: VU#705761

Title: RealPlayer PNG deflate heap corruption vulnerability.

Class: Boundary Error Condition

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
  http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10

Vendors contacted:
  - RealNetworks
    . Core Notification: 2003-03-07
    . Notification aknowledged by RealNetworks: 2003-03-11
    . Fix provided by RealNetworks and tested by Core: 2003-03-13
    . Release schedule of updatesestablished: 2003-03-19
    . Updates for Consumer Products released: 2003-03-27

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

  RealPlayer is a popular program provided by RealNetworks, Inc. It is
  used to play live video and audio over the net. This programs is able
  to play a great set of media file formats, between them is the PNG
  graphic file format. A vulnerability has been found in the way that
  RealPlayer decompress those files.

  If exploited, this vulnerability allows an attacker to execute
  arbitrary code and obtain a remote command shell with those privileges
  of the user running RealPlayer.


*Vulnerable Packages:*

  . RealOne Player v2 (Win32) [versions: 6.0.11.x,
    where x = .818, .830, .841, .853]
  . RealOne Player v1 (Win32) [version: 6.0.10.505]
  . RealOne Player for OS X   [version: 9.0.0.297, 9.0.0.288]
  . RealPlayer 8/RealPlayer Plus 8 (Win32 & Mac OS 9)
    [version: 6.0.9.584 (Win32 & Mac OS 9)]
  . RealOne Enterprise Desktop (Win32) [version: 6.0.11.774]


*Solution/Vendor Information/Workaround:*

  RealNetworks provides security updates which fix this vulnerability
  in the following page:
  http://service.real.com/help/faq/security/securityupdate_march2003.html

*Credits:*

  This vulnerability was found by Juliano Rizzo, Agustin Azubel Friedman,
  Bruno Acselrad and Carlos Sarraute from Core Security Technologies
  during Bugweek 2003 (March 3-7, 2003).
  Previous problems were found by Drew Copley of eEye Digital Security.

  We would like to thank Jeff Ayars and Haydon Boone from RealNetworks
  for quickly addressing our report and coordinating the generation
  and public release of patches and information regarding this vulnerability.


*Technical Description - Exploit/Concept Code:*

  PNG files are compressed using the deflate algorithm. This algorithm
  is described in the RFC 1951 "DEFLATE Compressed Data Format
  Specification" (see [1]). The compression is performed by searching
  for repetitions of the same data block. When a repetition is found a
  pair of length/offset codes are inserted in the ouput string instead
  of the data block. These codes indicate the distance (in bytes) of the
  beginning of the repeated block respect to the current position, and
  its length (in bytes).
  The algorithm can work in two modes, with fixed or dynamic Huffman
  trees. When fixed trees are used a fixed alphabet of 288 symbols is
  used to represent literals and length codes. The RFC 1951 states:

  "...Literal/length values 286-287 will never actually occur in the
  compressed data, but participate in the code construction..."

  The problem we found in vulnerable implementations of the algorithm is
  that when one of those two codes 286-287 is found in the compressed data,
  a length of 2^32 bytes is assumed.

  A loop starts copying from the offset specified after the length code
  in the compressed bit stream. 2^32 bytes is larger than the size of
  the buffer and also beyond the program address space and larger than the
  available memory, so the loop finally raises an exception when
  it reaches the end of the commited program memory. It allows an
  attacker to fill the program memory after the buffer with a given
  pattern. After the exception is raised a free or malloc function can
  be abused to use the values in the corrupted heap memory to write any
  32bit value to any address in memory. In particular we can overwrite any
  function pointer (for example the unhandled exception filter) and
  control the program execution flow, allowing us to execute arbitrary code
  and obtain (for example) a remote command shell or a Core Impact agent
  with those privileges of the user running RealPlayer.

  This bug has been successfully exploited in RealOne Player 2.0 and
  a Core Impact's module has been made.


*References:*

  [1] http://www.w3.org/Graphics/PNG/RFC-1951
  [2] http://www.libpng.org/pub/png/pngdocs.html
  [3] http://www.eeye.com/html/Research/Advisories/AD20021211.html


*About Core Security Technologies*

  Core Security Technologies develops strategic security solutions for
  Fortune 1000 corporations, government agencies and military
  organizations. The company offers information security software and
  services designed to assess risk and protect and manage information
  assets.
  Headquartered in Boston, MA, Core Security Technologies can be reached
  at 617-399-6980 or on the Web at http://www.coresecurity.com.

  To learn more about CORE IMPACT, the first comprehensive penetration
  testing framework, visit:
  http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

  The contents of this advisory are copyright (c) 2003 CORE Security
  Technologies and may be distributed freely provided that no fee is
  charged for this distribution and proper credit is given.

$Id: RealOne-advisory.txt,v 1.7 2003/03/27 22:14:21 carlos Exp $






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ