lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040210151241.GI26423@jouko.iki.fi>
From: jouko at iki.fi (Jouko Pynnonen)
Subject: Directory traversal in RealPlayer allows code execution


OVERVIEW
========

RealPlayer is a popular multimedia player developed by RealNetworks. 
One of its features are RMP files, RealJukebox Metadata Packages. These 
are XML formatted files which may contain e.g. playlists, references 
to skin files (*.rjs), and information about related web pages.

A directory traversal vulnerability exists in the player allowing 
an attacker to craft an RMP file which may upload files to arbitrary 
locations on the victim system. This leads to arbitrary code execution 
with the currently logged in user's privileges.

RMP files are opened without confirmation if a web page uses e.g. 
JavaScript or an IFRAME tag to reference them, so it is possible to 
carry out the attack without further user interaction when the victim 
visits such web page.



DETAILS
=======

The RMP file may contain references to a number of files as <TRACK> 
tags. The file extension determines how RealPlayer handles the file, 
ie. as audio, video, or a skin file. If the filename ends with ".rjs", 
it's assumed to be a skin file and downloaded to a location under the 
current user's profile folder. For RealOne Player the exact location is

  %USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs

An attacker may use "..\" sequences in the file name to cause the skin 
file to be placed outside this folder. With a specially crafted 
filename, an attacker can place an arbitrarily named file with 
arbitrary contents anywhere on the victim system. Overwriting files 
isn't possible as RealPlayer asks for confirmation.

To run a desired program, an attacker can for instance place an HTML 
and EXE file on the victim system by using a single RMP file. The 
"related info" feature of RealPlayer can be used to automatically open 
the HTML file, which can then use JavaScript to launch the EXE file. A 
proof of concept RMP file was created to do this. Use of some unpatched 
Internet Explorer flaws are required for this exploit.

Another way is simply to place an EXE or other program in the current 
user's Startup folder to be launched during the next login. The 
attacker needn't know the login name; a relative path can be used 
because the default folder for skins is already under the user's 
profile folder.



AFFECTED VERSIONS
=================

According to RealNetworks the flaw affects RealOne Player, RealOne 
Player v2, RealOne Enterprise Desktop, RealPlayer Enterprise.



SOLUTION
========

RealNetworks was contacted on November 24, 2003. The vendor has 
produced updates to correct the flaw. Some unrelated vulnerabilities 
found by Mark Litchfield are also fixed. Information about downloading 
and applying the updates can be found here:

http://service.real.com/help/faq/security/040123_player/EN/



CREDITS
=======

The vulnerability was discovered by Jouko Pynn?nen, Finland.



-- 
Jouko Pynn?nen          Web: http://iki.fi/jouko/
jouko@....fi            GSM: +358 41 5504555


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ