exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Realplayer Watchfolders Long Filepath Overflow

Realplayer Watchfolders Long Filepath Overflow
Posted Oct 26, 2012
Authored by Joseph Sheridan | Site reactionpenetrationtesting.co.uk

Realplayer version 15.0.5.109 is vulnerable to a stack buffer overflow vulnerability in the 'Watch Folders' facility.

tags | advisory, overflow
advisories | CVE-2012-4987
SHA-256 | 4574d497f5b7de99ddcba37f9338d21972b688102da3b115f156e7604e82c00b

Realplayer Watchfolders Long Filepath Overflow

Change Mirror Download
Realplayer Watchfolders Long Filepath Overflow by Joseph Sheridan

Summary

Realplayer version 15.0.5.109 is vulnerable to a stack buffer overflow vulnerability in the 'Watch Folders' facility.

CVE number: CVE-2012-4987
Impact: High
Vendor homepage: http://www.real.com
Vendor notified: 10/09/2012
Vendor response: The vendor initially responded to say that a representative would be in touch regarding the bug but no contact was made and no reply was made to several further emails.
Credit: Joseph Sheridan of ReactionIS

Affected Products

Realplayer version 15.0.5.109, other versions may also be affected.

Details

A default Realplayer install has a 'Watch Folders' function which scans a (configurable) list of folders including Downloads and My Documents etc. If there is an overly long directory path (i.e. > 256 characters) then a null byte on the stack is overwritten and a buffer overflow subsequently occurs. As the following event log details show, it is possible to take full control of EIP:

Faulting application name: RealPlay.exe, version: 15.0.5.109,
time stamp: 0x4fe37037
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x61616161
Faulting process id: 0x157c
Faulting application start time: 0x01cd7c9f57dcb90d

The payload could be delivered by enticing a victim to extract a malicious zip file containing a random file with an overly long directory structure containing the exploit code.

Impact

An attacker may be able to take full control of the host and execute arbitrary code.

Solution

No known solution at this time.

About ReactionIS

Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality security testing services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close