what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

realplayeroverrun.txt

realplayeroverrun.txt
Posted Nov 24, 2002
Authored by Mark Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory #NISR22112002 - Multiple Buffer Overruns in RealOne / RealPlayer / RealOne Enterprise. Three remotely exploitable overruns exist: two being heap based overflows and the other being a stack based overflow. On exploitation of these overruns any supplied code would execute in the security context of the logged on user.

tags | overflow
SHA-256 | 4c45143df7581f419149bb29354b7898f743178a4437690f3558d6fdc69fb9cb

realplayeroverrun.txt

Change Mirror Download
NGSSoftware Insight Security Research Advisory

Name: Multiple Buffer Overruns RealOne / RealPlayer / RealOne Enterprise
Desktop
Systems Affected: Windows All
Severity: Critical
Category: Remote Buffer Overrun
Vendor URL: http://www.real.com/
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 22nd November 2002
Advisory number: #NISR22112002


Description
***********
RealOne / RealPlayer is one of the most widely used products for internet
media delivery. According to Real, there are currently around 115 million
users worlwide of these products. RealOne is the updated version of
RealPlayer. Both suffer from multiple overrun issues.

Details
*******
This advisory details three remotely exploitable overruns, two being heap
based overflows and the other being a stack based overflow. On exploitation
of these overruns any supplied code would execute in the security context of
the logged on user.

1) By following a link to a SMIL file (Synchronized Multimedia Integration
Language), RealPlayer will automatically download the file in an attempt to
play its content. By suppling an overly long paramter within the SMIL file
a heap overflow would occur in RealPlay.exe. According to Real, they have
fixed the issue by fixing the player status code to handle the cases where
there are large number of characters in the metadata of a smil file.

2) By suppling an overly long rtsp:// filename parameter, for example
within a .m3u file, when a link was followed, Real again would download the
file. When play is selected a heap overflow ocurrs in RealPlay.exe This
has apparently been fixed by Real by improving the robustness of URL
handling in this portion of the product.

3) Again, referring to number two if the 'victim' were to download the file
with a large filename (whether it was on local/rtsp or an http url) Real
Player would access violate when performing the following: If the user were
to right click in Now Playing and select "Edit Clip info" or right click in
"Now Playing" and "Select copy to my Library". In this particular instance
a stack overflow would occur in RealPlayer.


Fix Information
***************
NGSSoftware alerted Real to these problems on the 1st November 2002.
NGSSoftware highly recommend installing the patch found at
http://service.real.com/help/faq/security/bufferoverrun_player.html.
Alternatively if you Open RealPlayer - Help - About Real Player, you will
notice a Check For Updates feature. Select this.

In Real's own advisory they omit the fact that RealOne Enterprise Desktop is
also vulnerable, but only to issues 2 & 3.


Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close