what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2006-03-23.t

iDEFENSE Security Advisory 2006-03-23.t
Posted Apr 1, 2006
Authored by iDefense Labs, iDefense | Site labs.idefense.com

iDefense Security Advisory 03.23.06 - RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap Overflow Vulnerability

tags | advisory, overflow
SHA-256 | 9fa110f4e1aa43d75d538dcf1464752590a31a66647589c0cc942f5c2f32ecb6

iDEFENSE Security Advisory 2006-03-23.t

Change Mirror Download
RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap 
Overflow Vulnerability

iDefense Security Advisory 03.23.06
March 23, 2006


RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. For more information, visit


Remote exploitation of a heap-based buffer overflow in RealNetwork Inc's
RealPlayer could allow the execution of arbitrary code in the context of
the currently logged in user.

The vulnerability specifically exists in the handling of the 'chunked'
Transfer-Encoding method. This method breaks the file the server is
sending up into 'chunks'. For each chunk, the server first sends the
length of the chunk in hexadecimal, followed by the chunk data. This is
repeated until there are no more chunks. The server then sends a chunk
length of 0 indicating the end of the transfer.

There are multiple ways of triggering this vulnerability.

* Sending a well-formed chunk header with a length of -1 (FFFFFFFF)
followed by malicious data.
* Sending a well-formed chunk header with a length specified which
is less
than the amount of data that will be sent,
followed by malicious data.
* Not sending a chunk header before sending malicious data.

Each of these cases result in a heap overflow. Depending on the versions
used, certain of these cases will not cause exploitable issues. However,
the last case appears to be reliable in triggering a crash.


Successful exploitation allows a remote attacker to execute arbitrary
code with the privileges of the currently logged in user. In order to
exploit this vulnerability, an attacker would need to entice a user to
follow a link to a malicious server. Once the user visits a website
under the control of an attacker, it is possible in a default install of
RealPlayer to force a web-browser to use RealPlayer to connect to an
arbitrary server, even when it is not the default application for
handling those types, by the use of embedded object tags in a webpage.
This may allow automated exploitation when the page is viewed.

As the client sends its version information as part of the request, it
would be possible for an attacker to create a malicious server which
uses the appropriate offsets and shellcode for each version and platform
of the client.


iDefense has confirmed the existence of this vulnerability in RealPlayer
Version 10.4 and 10.5 for Windows and Both RealPlayer 10.4 and Helix
Player 1.4 for Linux.

The vendor has stated that the following versions are vulnerable:
* RealPlayer 10.5 (
* RealPlayer 10
* RealOne Player v2
* RealOne Player v1
* RealPlayer 8

It is suspected that previous versions of RealPlayer and Helix Player
are affected by this vulnerability.


Although there is no way to completely protect yourself from this
vulnerability, aside from removing the RealPlayer software, the
following actions may be taken to minimize the risk of automated

Disable ActiveX controls and plugins, if not necessary for daily
operations, using the following steps:

1. In IE, click on Tools and select Internet Options from the drop-down
2. Click the Security tab and the Custom Level button.
3. Under ActiveX Controls and Plugins, then Run Activex Controls and
click the Disable radio button.

In general, exploitation requires that a targeted user be socially
engineered into visiting a link to a server controlled by an attacker.
As such, do not visit unknown/untrusted website and do not follow
suspicious links.

When possible, run client software, especially applications such as IM
clients, web browsers and e-mail clients, from regular user accounts
with limited access to system resources. This may limit the immediate
consequences of client-side vulnerabilities such as this.


Information from the vendor about this vulnerability is available at to
following URL:



The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2922 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.


09/08/2005 Initial vendor notification
09/09/2005 Initial vendor response
03/23/2006 Public disclosure


This vulnerability was found internally by Greg MacManus of iDefense Labs.

Get paid for vulnerability research

Free tools, research and upcoming events


Copyright (c) 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By