[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow
- From: Göran Sandahl <goran@xxxxxxxxxxxx>
- Date: Thu, 21 Apr 2005 23:13:58 +0200
Hi,
Does this overflow affect versions of RealPlayer installable on mobile
platforms too (like Windows PocketPC, CE, mobile et cetera)?
Regards
Göran Sandahl
On Wednesday 20 April 2005 07:08, Piotr Bania wrote:
> RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap
> Overflow
> by Piotr Bania <bania.piotr@xxxxxxxxx>
> http://pb.specialised.info
>
> Original location:
> http://pb.specialised.info/all/adv/real-ram-adv.txt
>
>
> Severity: Critical - Remote code execution.
>
> Software affected: (WINDOWS)
> RealPlayer 10.5 (6.0.12.1040 - 1059)
> RealPlayer 10
> RealOne Player v2
> RealOne Player v1
> RealPlayer 8
> RealPlayer Enterprise
>
> (MAC)
> Mac RealPlayer 10 (10.0.0.305 - 331)
> Mac RealOne Player
>
> (LINUX)
> Linux RealPlayer 10 (10.0.0 - 3)
> Helix Player (10.0.0 - 3)
>
>
>
>
>
> I. BACKGROUND
>
> Real*Player* is surely one of the most popular media players
> nowadays with over a 200 million of users worldwide.
>
> II. DESCRIPTION
>
> The problem exists when RealPlayer parses special crafted .ram
> file. Normaly .ram file looks like that:
>
> --CUT--
> http://www.host.com/media/getmetafile.ram?pinfo=fid:2663610| \
> bw:MULTI|mt:ro|mft:metafile|cr:1|refsite:276
> --CUT--
>
> this causes RealPlayer to contact "www.host.com" and try to
> download and play selected clip. The problem exists when host
> string is too long, like here:
>
> --CUT--
> http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>. \
> .org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \
> mft:metafile|cr:1|refsite:276
> --CUT--
>
> While parsing such crafted .ram file heap memory is being
> corrupted at multiple locations, for example:
>
> FIRST HEAP CORRUPTION:
>
> ----// SNIP SNIP //--------------------------------------------
> (MODULE PNEN3260)
> 01053089 76 0D JBE SHORT pnen3260.01053098
> 0105308B 8B53 15 MOV EDX,DWORD PTR DS:[EBX+15]
> 0105308E 890496 MOV DWORD PTR DS:[ESI+EDX*4],EAX<---
> 01053091 8B43 15 MOV EAX,DWORD PTR DS:[EBX+15]
> 01053094 40 INC EAX
> 01053095 8943 15 MOV DWORD PTR DS:[EBX+15],EAX
> ----// SNIP SNIP //--------------------------------------------
>
> THE FINAL HEAP OVERWRITE:
>
> ----// SNIP SNIP //---------------------------------------------
> (MODULE PNCRT - PNCRT!strncpy+0x8b)
> 60A2FA59 8917 MOV DWORD PTR DS:[EDI],EDX
> 60A2FA5B 83C7 04 ADD EDI,4
> 60A2FA5E 49 DEC ECX
> 60A2FA5F ^74 AF JE SHORT PNCRT.60A2FA10
> ----// SNIP SNIP //---------------------------------------------
>
>
> In the following code EDI points to heap location, and EDX
> contains read bytes. Instruction at 60A2Fa59 writes value of
> EDX register into the location where EDI points (heap memory),
> this causes a heap memory corruption.
>
>
> III. IMPACT
>
> Successful exploitation may allow the attacker to run arbitrary
> code in context of user running RealPlayer.
>
> IV. VENDOR RESPONSE
>
> I would like to acknowledge the cooperation and responsiveness
> of the people at RealNetworks. Security patches are available at
> http://www.real.com.
>
>
>
> best regards,
> Piotr Bania
--
// Göran Sandahl
// email, goran@xxxxxxxxxxxx
// web, http://gsandahl.net