exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

real-ram-adv.txt

real-ram-adv.txt
Posted Jun 1, 2005
Authored by Piotr Bania

RealNetworks RealPlayer, RealOne Player, and Helix Player all suffer from a remote heap overflow that allows for remote code execution.

tags | advisory, remote, overflow, code execution
SHA-256 | f5dfc6020b55f720a8cbcc1e223a699e696def7db5ae15407dbb1fa62bf5b52f

real-ram-adv.txt

Change Mirror Download



RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap
Overflow
by Piotr Bania <bania.piotr@gmail.com>
http://pb.specialised.info

Original location:
http://pb.specialised.info/all/adv/real-ram-adv.txt


Severity: Critical - Remote code execution.

Software affected: (WINDOWS)
RealPlayer 10.5 (6.0.12.1040 - 1059)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise

(MAC)
Mac RealPlayer 10 (10.0.0.305 - 331)
Mac RealOne Player

(LINUX)
Linux RealPlayer 10 (10.0.0 - 3)
Helix Player (10.0.0 - 3)





I. BACKGROUND

Real*Player* is surely one of the most popular media players
nowadays with over a 200 million of users worldwide.

II. DESCRIPTION

The problem exists when RealPlayer parses special crafted .ram
file. Normaly .ram file looks like that:

--CUT--
http://www.host.com/media/getmetafile.ram?pinfo=fid:2663610| \
bw:MULTI|mt:ro|mft:metafile|cr:1|refsite:276
--CUT--

this causes RealPlayer to contact "www.host.com" and try to
download and play selected clip. The problem exists when host
string is too long, like here:

--CUT--
http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>. \
.org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \
mft:metafile|cr:1|refsite:276
--CUT--

While parsing such crafted .ram file heap memory is being
corrupted at multiple locations, for example:

FIRST HEAP CORRUPTION:

----// SNIP SNIP //--------------------------------------------
(MODULE PNEN3260)
01053089 76 0D JBE SHORT pnen3260.01053098
0105308B 8B53 15 MOV EDX,DWORD PTR DS:[EBX+15]
0105308E 890496 MOV DWORD PTR DS:[ESI+EDX*4],EAX<---
01053091 8B43 15 MOV EAX,DWORD PTR DS:[EBX+15]
01053094 40 INC EAX
01053095 8943 15 MOV DWORD PTR DS:[EBX+15],EAX
----// SNIP SNIP //--------------------------------------------

THE FINAL HEAP OVERWRITE:

----// SNIP SNIP //---------------------------------------------
(MODULE PNCRT - PNCRT!strncpy+0x8b)
60A2FA59 8917 MOV DWORD PTR DS:[EDI],EDX
60A2FA5B 83C7 04 ADD EDI,4
60A2FA5E 49 DEC ECX
60A2FA5F ^74 AF JE SHORT PNCRT.60A2FA10
----// SNIP SNIP //---------------------------------------------


In the following code EDI points to heap location, and EDX
contains read bytes. Instruction at 60A2Fa59 writes value of
EDX register into the location where EDI points (heap memory),
this causes a heap memory corruption.


III. IMPACT

Successful exploitation may allow the attacker to run arbitrary
code in context of user running RealPlayer.

IV. VENDOR RESPONSE

I would like to acknowledge the cooperation and responsiveness
of the people at RealNetworks. Security patches are available at
http://www.real.com.



best regards,
Piotr Bania

--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info - Key ID: 0xBE43AC33
--------------------------------------------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close