Exploit the possiblities

realplayer-memory-corruption-adv.txt

realplayer-memory-corruption-adv.txt
Posted Oct 26, 2007
Authored by Piotr Bania | Site piotrbania.com

RealNetworks RealPlayer/RealOne Player/Helix Player all suffer from a memory corruption vulnerability in the handling of specially crafted .mov files. Successful exploitation may lead to code execution.

tags | advisory, code execution
MD5 | d5f7cd811f442f4d147649a824c696fc

realplayer-memory-corruption-adv.txt

Change Mirror Download


RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory
Corruption
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com



Original url (and formating):
http://www.piotrbania.com/all/adv/realplayer-memory-corruption-adv.txt

Severity: Critical - Remote code execution.

Software affected: Tested on RealPlayer Version 10.5(newest?) + Harmony
Technology
Build: 6.0.12.1483


Timeline: 02/09/2006 - Advisory sent to RealNetworks
05/09/2006 - Initial vendor response
25/10/2007 - Advisory released




I. BACKGROUND

Real*Player* is surely one of the most popular media players nowadays
with over a 200 million of users worldwide.


II. DESCRIPTION


The problem exists when Real*Player* parses a special crafted .mov file.
Here is the vulnerable code:

--//- snip ----//-----------------------------------------------------

62448F24 8B4D E2 MOV ECX,DWORD PTR SS:[EBP-1E] ; (*1)
62448F27 8B45 DE MOV EAX,DWORD PTR SS:[EBP-22]
62448F2A 2BC1 SUB EAX,ECX ; (*2)
62448F2C 8B53 17 MOV EDX,DWORD PTR DS:[EBX+17]
62448F2F 8D3401 LEA ESI,DWORD PTR DS:[ECX+EAX]
62448F32 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
62448F35 3932 CMP DWORD PTR DS:[EDX],ESI
62448F37 0F82 C2000000 JB rvrender.62448FFF
62448F3D 8B75 DD MOV ESI,DWORD PTR SS:[EBP-23]
62448F40 81E6 FF000000 AND ESI,0FF
62448F46 3972 14 CMP DWORD PTR DS:[EDX+14],ESI
62448F49 0F85 B0000000 JNZ rvrender.62448FFF
62448F4F 8B75 DC MOV ESI,DWORD PTR SS:[EBP-24]
62448F52 81E6 FF000000 AND ESI,0FF
62448F58 837CF2 10 00 CMP DWORD PTR DS:[EDX+ESI*8+10],0
62448F5D 0F85 9C000000 JNZ rvrender.62448FFF
62448F63 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
62448F66 0377 04 ADD ESI,DWORD PTR DS:[EDI+4]
62448F69 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4] ; (*3)
62448F6C 8BD1 MOV EDX,ECX
62448F6E 03F8 ADD EDI,EAX ; (*4)
62448F70 C1E9 02 SHR ECX,2
62448F73 F3:A5 REP MOVSD ; memcpy()
(*5)

--//- snip ----//-----------------------------------------------------


Attacker controls the value of ECX registers initialized at 0x62448F24
(*1).
This is very important since this values are future used with
initialization
of EDI register (destination for memcpy() (*5)) and its also used as an
size argument also for memcpy() (*5) operation.

The content of EAX register seems to be a const value, equal to 0x326.
It is transformed by sub operation in the following way: EAX = 0x326 -
ECX(*1).
From this point the value of the EAX remains unchanged.

At point (*3) you will see the initalization of EDI register, which will
now
point somewhere inside allocated heap memory block (the size of the parent
block seems to be always equal to 0xa8000). After the EDI initialization
it is normalized with EAX value, created in point (*2).

This leads to an obvious memory corruption, attacker can control ECX and
the
EDI register, it means that he can control the destination and the size
while coping the memory. This may lead to a potencial code execution
on the vulnerable machine.


III. IMPACT

Successful exploitation may allow the attacker to run arbitrary code in
context of user running Real*Player*.


IV. POC CODE

Due to severity of this bug i will not publish any poc codes.





best regards,
pb

--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com - Key ID: 0xBE43AC33
--------------------------------------------------------------------

- "The more I learn about men, the more I love dogs."


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close