Search This Blog

Monday, June 27, 2005

[NEWS] RealNetworks RealPlayer RealText Parsing Heap Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

RealNetworks RealPlayer RealText Parsing Heap Overflow
------------------------------------------------------------------------

SUMMARY

<http://www.real.com/player/?src=realplayer> RealPlayer is "a popular
media player".

Remote exploitation of a heap-based buffer overflow vulnerability in the
RealText file format parser within various versions of RealPlayer could
allow attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
* RealPlayer version 10.5 6.0.12.1056
* RealPlayer version 10 and 10.0.1.436

It is suspected that previous versions of RealPlayer are also vulnerable.
It is also suspected that RealOne player is vulnerable.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1277>
CAN-2005-1277

Vulnerable Code:
The vulnerability specifically exists because of a string copying
operating into a fixed size heap buffer using the sprintf function. The
following function from /datatype/text/realtext/fileformat/rtffplin.cpp is
the offending code:

STDMETHODIMP CRealTextFileFormat::ReadDone()
[...]
if (pErrorMessages)
{
const char* pFilename = "[rt file]";
if(m_pFileObject)
{
m_pFileObject->GetFilename(pFilename);
}
char* pTmp;
pTmp = new char[256];
sprintf(pTmp, /* Flawfinder: ignore */

"Version in \"%s\" is not recognized installed"

" RealText file format",pFilename);
pErrorMessages->Report(HXLOG_ERR,
HXR_INVALID_VERSION,
0, (const char*) pTmp, NULL);
HX_RELEASE(pErrorMessages);
delete [] pTmp;
}
[...]

The variable pTmp points to 256 bytes of space on the heap. pFilename is a
string pointer that points to data supplied in the RealText stream. When
the sprintf is executed, the data is copied into the 256 byte heap buffer
without any length checking, thus allowing a heap overflow to occur. Once
the heap is overflown, an attacker can eventually write to arbitrary
locations in memory, allowing for the execution of arbitrary code.

Exploitation allows for arbitrary code execution as the user who opened
the RealMedia file. Exploitation requires an attacker to craft a malicious
RealMedia file that uses RealText and convince a user to open it. An
attacker could also force a web browser to refresh and automatically load
the RealMedia file from a normal web page under the attacker's control.

In default installations of RealPlayer under Windows XP, Internet Explorer
will not prompt the user for an action when encountering most RealMedia
files. It will open the file without delay, thus providing an effective
method of exploitation.

Workaround:
Although there is no way to completely protect yourself from this
vulnerability, aside from removing the RealPlayer software, the following
actions may be taken to minimize risk for automated exploitation. Disable
ActiveX controls and plugins, if not necessary for daily operations, using
the following steps:

1. In IE, click on Tools and select Internet Options from the drop-down
menu.
2. Click the Security tab and the Custom Level button.
3. Under ActiveX Controls and Plugins, then Run Activex Controls and
Plugins, click the Disable radio button.

Vendor Status:
The vendor has addressed this issue in the following security advisory.
The patch can be found at:
<http://service.real.com/help/faq/security/050623_player/EN/>
http://service.real.com/help/faq/security/050623_player/EN/

Disclosure Timeline:
04/26/2005 - Initial vendor notification
04/26/2005 - Initial vendor response
06/23/2005 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:iDEFENSE>
idlabs-advisories@idefense.com.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=250&type=vulnerabilities> www.idefense.com/application/poi/display?id=250&type=vulnerabilities

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: