RealNetworks RealPlayer and Helix Player Invalid Chunk Size Heap 
Overflow Vulnerability

iDefense Security Advisory 03.23.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=404
March 23, 2006

I. BACKGROUND

RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. For more information, visit
http://www.real.com/.

II. DESCRIPTION

Remote exploitation of a heap-based buffer overflow in RealNetwork Inc's
RealPlayer could allow the execution of arbitrary code in the context of
the currently logged in user.

The vulnerability specifically exists in the handling of the 'chunked'
Transfer-Encoding method. This method breaks the file the server is
sending up into 'chunks'. For each chunk, the server first sends the
length of the chunk in hexadecimal, followed by the chunk data. This is
repeated until there are no more chunks. The server then sends a chunk
length of 0 indicating the end of the transfer.

There are multiple ways of triggering this vulnerability.

    * Sending a well-formed chunk header with a length of -1 (FFFFFFFF)
      followed by malicious data.
    * Sending a well-formed chunk header with a length specified which 
is less
      than the amount of data that will be sent,
      followed by malicious data.
    * Not sending a chunk header before sending malicious data.

Each of these cases result in a heap overflow. Depending on the versions
used, certain of these cases will not cause exploitable issues. However,
the last case appears to be reliable in triggering a crash.

III. ANALYSIS

Successful exploitation allows a remote attacker to execute arbitrary
code with the privileges of the currently logged in user. In order to
exploit this vulnerability, an attacker would need to entice a user to
follow a link to a malicious server. Once the user visits a website
under the control of an attacker, it is possible in a default install of
RealPlayer to force a web-browser to use RealPlayer to connect to an
arbitrary server, even when it is not the default application for
handling those types, by the use of embedded object tags in a webpage.
This may allow automated exploitation when the page is viewed.

As the client sends its version information as part of the request, it
would be possible for an attacker to create a malicious server which
uses the appropriate offsets and shellcode for each version and platform
of the client.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in RealPlayer
Version 10.4 and 10.5 for Windows and Both RealPlayer 10.4 and Helix
Player 1.4 for Linux.

The vendor has stated that the following versions are vulnerable:
 * RealPlayer 10.5 (6.0.12.1040-1348)
 * RealPlayer 10
 * RealOne Player v2
 * RealOne Player v1
 * RealPlayer 8

It is suspected that previous versions of RealPlayer and Helix Player
are affected by this vulnerability.

V. WORKAROUND

Although there is no way to completely protect yourself from this
vulnerability, aside from removing the RealPlayer software, the
following actions may be taken to minimize the risk of automated
exploitation.

Disable ActiveX controls and plugins, if not necessary for daily
operations, using the following steps:

1. In IE, click on Tools and select Internet Options from the drop-down 
menu.
2. Click the Security tab and the Custom Level button.
3. Under ActiveX Controls and Plugins, then Run Activex Controls and 
Plugins,
click the Disable radio button.

In general, exploitation requires that a targeted user be socially
engineered into visiting a link to a server controlled by an attacker.
As such, do not visit unknown/untrusted website and do not follow
suspicious links.

When possible, run client software, especially applications such as IM
clients, web browsers and e-mail clients, from regular user accounts
with limited access to system resources. This may limit the immediate
consequences of client-side vulnerabilities such as this.

VI. VENDOR RESPONSE

Information from the vendor about this vulnerability is available at to
following URL:

    http://service.real.com/realplayer/security/03162006_player/en/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2922 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/08/2005  Initial vendor notification
09/09/2005  Initial vendor response
03/23/2006  Public disclosure

IX. CREDIT

This vulnerability was found internally by Greg MacManus of iDefense Labs.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.