[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heap overflow in RealPlayer 14.0.1.633



#######################################################################

                             Luigi Auriemma

Application:  RealPlayer
              http://www.real.com
Versions:     <= 14.0.1.633
Platforms:    Windows, Macintosh OSX, Linux, Symbian, Palm
Bug:          heap overflow
Exploitation: remote
Date:         21 Mar 2011 (found 17 Feb 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


RealPlayer is an ugly media player developed by RealNetwork and used
mainly for its browser's plugin supporting the proprietary file formats
of its developer.


#######################################################################

======
2) Bug
======


Classical heap overflow during the handling of the IVR files caused by
the allocation of a certain amount of data (frame size) decided by the
attacker and the copying of another arbitrary amount on the same
buffer.
From rvrender.dll (base address 63AE0000):

  63AF5C70  /$ 55                 PUSH EBP
  63AF5C71  |. 8BEC               MOV EBP,ESP
  63AF5C73  |. 83EC 20            SUB ESP,20
  63AF5C76  |. 8B55 08            MOV EDX,DWORD PTR SS:[EBP+8]
  63AF5C79  |. 56                 PUSH ESI
  63AF5C7A  |. 57                 PUSH EDI
  63AF5C7B  |. 8B7A 04            MOV EDI,DWORD PTR DS:[EDX+4]
                                ; byte at offset 0x7800 of the PoC
  63AF5C7E  |. 8A07               MOV AL,BYTE PTR DS:[EDI]
  63AF5C80  |. 24 E0              AND AL,0E0
  63AF5C82  |. 33F6               XOR ESI,ESI
  63AF5C84  |. 894D F8            MOV DWORD PTR SS:[EBP-8],ECX
                                ; (byte & 0xe0) == 0xe0
  63AF5C87  |. 3C E0              CMP AL,0E0
  63AF5C89  |. 0F85 46010000      JNZ rvrender.63AF5DD5
                                ; 32bit value at offset 0x77f8 (alloc)
  63AF5C8F  |. 8B0A               MOV ECX,DWORD PTR DS:[EDX]
  63AF5C91  |. 47                 INC EDI
  63AF5C92  |. 83E9 01            SUB ECX,1
  63AF5C95  |. 8975 FC            MOV DWORD PTR SS:[EBP-4],ESI
  63AF5C98  |. 8975 E8            MOV DWORD PTR SS:[EBP-18],ESI
  63AF5C9B  |. C745 EC 01000000   MOV DWORD PTR SS:[EBP-14],1
  63AF5CA2  |. 894D F0            MOV DWORD PTR SS:[EBP-10],ECX
  63AF5CA5  |. 0F84 38010000      JE rvrender.63AF5DE3
  63AF5CAB  |. 53                 PUSH EBX
  63AF5CAC  |. 8D6424 00          LEA ESP,DWORD PTR SS:[ESP]
  63AF5CB0  |> 57                 /PUSH EDI
  63AF5CB1  |. 8D4D FC            |LEA ECX,DWORD PTR SS:[EBP-4]
  63AF5CB4  |. 51                 |PUSH ECX
  63AF5CB5  |. 8D55 E8            |LEA EDX,DWORD PTR SS:[EBP-18]
  63AF5CB8  |. 52                 |PUSH EDX
  63AF5CB9  |. E8 92010000        |CALL rvrender.63AF5E50
  63AF5CBE  |. 03F8               |ADD EDI,EAX
  63AF5CC0  |. 8945 E4            |MOV DWORD PTR SS:[EBP-1C],EAX
  63AF5CC3  |. 66:0FB607          |MOVZX AX,BYTE PTR DS:[EDI]
  63AF5CC7  |. 0FB7C8             |MOVZX ECX,AX
  63AF5CCA  |. 83C4 0C            |ADD ESP,0C
  63AF5CCD  |. 84C9               |TEST CL,CL
  63AF5CCF  |. 79 0D              |JNS SHORT rvrender.63AF5CDE
  63AF5CD1  |. 83E1 7F            |AND ECX,7F
  63AF5CD4  |. 894D F4            |MOV DWORD PTR SS:[EBP-C],ECX
  63AF5CD7  |. B8 01000000        |MOV EAX,1
  63AF5CDC  |. EB 1E              |JMP SHORT rvrender.63AF5CFC
  63AF5CDE  |> 66:0FB64F 01       |MOVZX CX,BYTE PTR DS:[EDI+1]
  63AF5CE3  |. C1E0 08            |SHL EAX,8
  63AF5CE6  |. 66:0BC8            |OR CX,AX
  63AF5CE9  |. BA FF7F0000        |MOV EDX,7FFF
  63AF5CEE  |. 66:23CA            |AND CX,DX
                                ; 16bit at offset 0x7805
  63AF5CF1  |. 0FB7C1             |MOVZX EAX,CX
  63AF5CF4  |. 8945 F4            |MOV DWORD PTR SS:[EBP-C],EAX
  63AF5CF7  |. B8 02000000        |MOV EAX,2
  63AF5CFC  |> 0FB7D8             |MOVZX EBX,AX
  63AF5CFF  |. 6A 18              |PUSH 18
  63AF5D01  |. 03FB               |ADD EDI,EBX
  63AF5D03  |. E8 FC120000        |CALL <JMP.&MSVCR90.operator new>
  63AF5D08  |. 8BF0               |MOV ESI,EAX
  63AF5D0A  |. 83C4 04            |ADD ESP,4
  63AF5D0D  |. 85F6               |TEST ESI,ESI
  63AF5D0F  |. 74 7F              |JE SHORT rvrender.63AF5D90
  63AF5D11  |. 8B4D FC            |MOV ECX,DWORD PTR SS:[EBP-4]
  63AF5D14  |. 51                 |PUSH ECX
  63AF5D15  |. 8B4D F8            |MOV ECX,DWORD PTR SS:[EBP-8]
  63AF5D18  |. E8 D3F2FFFF        |CALL rvrender.63AF4FF0
  63AF5D1D  |. 85C0               |TEST EAX,EAX
  63AF5D1F  |. 75 0B              |JNZ SHORT rvrender.63AF5D2C
  63AF5D21  |. 56                 |PUSH ESI
  63AF5D22  |. E8 E3120000        |CALL <JMP.&MSVCR90.operator delete>
  63AF5D27  |. 83C4 04            |ADD ESP,4
  63AF5D2A  |. 33F6               |XOR ESI,ESI
  63AF5D2C  |> 8B55 F8            |MOV EDX,DWORD PTR SS:[EBP-8]
  63AF5D2F  |. 8B0A               |MOV ECX,DWORD PTR DS:[EDX]
  63AF5D31  |. 8B01               |MOV EAX,DWORD PTR DS:[ECX]
  63AF5D33  |. 8B40 0C            |MOV EAX,DWORD PTR DS:[EAX+C]
  63AF5D36  |. 8D55 E0            |LEA EDX,DWORD PTR SS:[EBP-20]
  63AF5D39  |. 52                 |PUSH EDX
  63AF5D3A  |. FFD0               |CALL EAX
  63AF5D3C  |. 8946 04            |MOV DWORD PTR DS:[ESI+4],EAX
  63AF5D3F  |. 85C0               |TEST EAX,EAX
  63AF5D41  |. 74 4D              |JE SHORT rvrender.63AF5D90
  63AF5D43  |. 8B4D 08            |MOV ECX,DWORD PTR SS:[EBP+8]
  63AF5D46  |. 66:8B51 0C         |MOV DX,WORD PTR DS:[ECX+C]
  63AF5D4A  |. 66:8956 0C         |MOV WORD PTR DS:[ESI+C],DX
  63AF5D4E  |. 0FB755 F4          |MOVZX EDX,WORD PTR SS:[EBP-C]
  63AF5D52  |. 0351 08            |ADD EDX,DWORD PTR DS:[ECX+8]
  63AF5D55  |. 837D EC 00         |CMP DWORD PTR SS:[EBP-14],0
  63AF5D59  |. 8956 08            |MOV DWORD PTR DS:[ESI+8],EDX
  63AF5D5C  |. 0FB749 0E          |MOVZX ECX,WORD PTR DS:[ECX+E]
  63AF5D60  |. 66:894E 0E         |MOV WORD PTR DS:[ESI+E],CX
  63AF5D64  |. 75 0A              |JNZ SHORT rvrender.63AF5D70
  63AF5D66  |. 81E1 FDFF0000      |AND ECX,0FFFD
  63AF5D6C  |. 66:894E 0E         |MOV WORD PTR DS:[ESI+E],CX
  63AF5D70  |> C746 14 00000000   |MOV DWORD PTR DS:[ESI+14],0
  63AF5D77  |. C706 00000000      |MOV DWORD PTR DS:[ESI],0
  63AF5D7D  |. 8B4D FC            |MOV ECX,DWORD PTR SS:[EBP-4]
  63AF5D80  |. 51                 |PUSH ECX     ; 32bit at offset 0x7801
  63AF5D81  |. 57                 |PUSH EDI     ; our data
  63AF5D82  |. 50                 |PUSH EAX     ; heap buffer
  63AF5D83  |. E8 F8160000        |CALL <JMP.&MSVCR90.memcpy>   ; memcpy
  63AF5D88  |. 8B55 FC            |MOV EDX,DWORD PTR SS:[EBP-4]
  63AF5D8B  |. 83C4 0C            |ADD ESP,0C
  63AF5D8E  |. 8916               |MOV DWORD PTR DS:[ESI],EDX
  63AF5D90  |> 8B4D E4            |MOV ECX,DWORD PTR SS:[EBP-1C]
  63AF5D93  |. 8B45 FC            |MOV EAX,DWORD PTR SS:[EBP-4]
  63AF5D96  |. 8D140B             |LEA EDX,DWORD PTR DS:[EBX+ECX]
  63AF5D99  |. 8B5D F0            |MOV EBX,DWORD PTR SS:[EBP-10]
  63AF5D9C  |. 8B4D F8            |MOV ECX,DWORD PTR SS:[EBP-8]
  63AF5D9F  |. 03D0               |ADD EDX,EAX
  63AF5DA1  |. 2BDA               |SUB EBX,EDX
  63AF5DA3  |. 56                 |PUSH ESI
  63AF5DA4  |. 03F8               |ADD EDI,EAX
  63AF5DA6  |. 895D F0            |MOV DWORD PTR SS:[EBP-10],EBX
  63AF5DA9  |. E8 D2FCFFFF        |CALL rvrender.63AF5A80
  63AF5DAE  |. 56                 |PUSH ESI
  63AF5DAF  |. 8945 E4            |MOV DWORD PTR SS:[EBP-1C],EAX
  63AF5DB2  |. E8 53120000        |CALL <JMP.&MSVCR90.operator delete>
  63AF5DB7  |. 83C4 04            |ADD ESP,4
  63AF5DBA  |. C745 EC 00000000   |MOV DWORD PTR SS:[EBP-14],0
  63AF5DC1  |. 85DB               |TEST EBX,EBX
  63AF5DC3  |.^0F85 E7FEFFFF      \JNZ rvrender.63AF5CB0
  63AF5DC9  |. 8B45 E4            MOV EAX,DWORD PTR SS:[EBP-1C]
  63AF5DCC  |. 5B                 POP EBX
  63AF5DCD  |. 5F                 POP EDI
  63AF5DCE  |. 5E                 POP ESI
  63AF5DCF  |. 8BE5               MOV ESP,EBP
  63AF5DD1  |. 5D                 POP EBP
  63AF5DD2  |. C2 0400            RETN 4


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/real_5.zip

the amount of data to copy is the 32bit big endian value located at
offset 0x7801 of real_5.ivr.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org