what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

realplayer-heap-corruption-adv.txt

realplayer-heap-corruption-adv.txt
Posted Oct 26, 2007
Authored by Piotr Bania | Site piotrbania.com

RealNetworks RealPlayer/RealOne Player/Helix Player all suffer from a heap corruption vulnerability in the handling of specially crafted .mov files. Successful exploitation may lead to code execution.

tags | advisory, code execution
SHA-256 | d0b3de4e4ec1830bd5ba47b604c4bffbdf1436a14cbbabd5bde23e273d74a08c
Download | Favorite | View

realplayer-heap-corruption-adv.txt

Change Mirror Download
 RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Corruption
 by Piotr Bania <bania.piotr@gmail.com>
 http://www.piotrbania.com



 Original url (and formatting):
 http://www.piotrbania.com/all/adv/realplayer-heap-corruption-adv.txt

 Severity:           Important/Critical - Potencial remote code execution.

 Software affected:  tested on RealPlayer Version 10.5(newest?) + Harmony
Technology
                     Build: 6.0.12.1483


 Timeline:  02/09/2006 - Advisory sent to RealNetworks
            05/09/2006 - Initial vendor response
            25/10/2007 - Advisory released




 I.  BACKGROUND

 Real*Player* is surely one of the most popular media players nowadays
 with over a 200 million of users worldwide.


 II. DESCRIPTION


 The problem exists when Real*Player* parses a special crafted .mov file.
 Here is the vulnerable code:


 --//- snip ----//-----------------------------------------------------

 62A70598   8A47 05          MOV AL,BYTE PTR DS:[EDI+5]      ; al=controled
by attacker
 62A7059B   8A67 04          MOV AH,BYTE PTR DS:[EDI+4]      ; ah=controled
by attacker
 62A7059E   66:3B86 AE000000 CMP AX,WORD PTR DS:[ESI+AE]     ; below 2?
 62A705A5   73 11            JNB SHORT 62A705B8              ; not signed
compare, assume:taken!
 62A705A7   8B8E B0000000    MOV ECX,DWORD PTR DS:[ESI+B0]
 62A705AD   25 FFFF0000      AND EAX,0FFFF
 62A705B2   66:8B0441        MOV AX,WORD PTR DS:[ECX+EAX*2]
 62A705B6   EB 05            JMP SHORT 62A705BD
 62A705B8   B8 FFFF0000      MOV EAX,0FFFF                   ; eax=0xFFFF
 62A705BD   33D2             XOR EDX,EDX                     ; edx=0
 62A705BF   33C9             XOR ECX,ECX                     ; ecx=0

 62A705C1   8A77 06          MOV DH,BYTE PTR DS:[EDI+6]      ; dh=controled
by attacker
 62A705C4   8A6F 08          MOV CH,BYTE PTR DS:[EDI+8]      ; ch=controled
by attacker
 62A705C7   8A57 07          MOV DL,BYTE PTR DS:[EDI+7]`     ; dl=controled
by attacker
 62A705CA   81E1 FFFF0000    AND ECX,0FFFF                   ; leave only CX
value
 62A705D0   C1E2 10          SHL EDX,10                      ; rotation
high(edx)<-dx
 62A705D3   0BD1             OR EDX,ECX                      ; power up the
bits given by ecx
 62A705D5   33C9             XOR ECX,ECX                     ; ecx=0
 62A705D7   8A4F 09          MOV CL,BYTE PTR DS:[EDI+9]      ; cl=controled
by attacker
 62A705DA   0BD1             OR EDX,ECX                      ; power up some
bits...
 62A705DC   8B8E 8A000000    MOV ECX,DWORD PTR DS:[ESI+8A]
 62A705E2   85C9             TEST ECX,ECX                    ; ecx=0? =>
take the jump
 62A705E4   74 0F            JE SHORT 62A705F5
 62A705E6   3956 48          CMP DWORD PTR DS:[ESI+48],EDX
 62A705E9   76 0A            JBE SHORT 62A705F5
 62A705EB   C786 8E000000 01>MOV DWORD PTR DS:[ESI+8E],1

 62A705F5   8956 48          MOV DWORD PTR DS:[ESI+48],EDX   ; store edx
 62A705F8   8B8E 8A000000    MOV ECX,DWORD PTR DS:[ESI+8A]   ; ecx = 0
 62A705FE   41               INC ECX                         ; ecx++
 62A705FF   25 FFFF0000      AND EAX,0FFFF                   ; leave the AX
value (0xffff)
 62A70604   898E 8A000000    MOV DWORD PTR DS:[ESI+8A],ECX   ; [esi+0x8a]=1
 62A7060A   8BC8             MOV ECX,EAX                     ; ecx=0xffff
 62A7060C   C1E0 05          SHL EAX,5                       ; eax=0x1FFFE0
(rotated)
 62A7060F   2BC1             SUB EAX,ECX                     ; eax-0xffff =
0x1EFFE1
 62A70611   8B8E 9A000000    MOV ECX,DWORD PTR DS:[ESI+9A]   ; ecx=heap mem
 62A70617   D1E0             SHL EAX,1                       ;
eax=0x003DFFC2
 62A70619   03C8             ADD ECX,EAX                     ; ecx=ecx+eax
(memory location)
 62A7061B   8379 36 00       CMP DWORD PTR DS:[ECX+36],0
 62A7061F   75 1F            JNZ SHORT 62A70640
 62A70621   8951 24          MOV DWORD PTR DS:[ECX+24],EDX   ; ** corruption
**

 --//- snip ----//-----------------------------------------------------


 The instruction at 0x62A70621 stores the value of EDX register (controled
by attacker)
 to the location at [ECX+0x24]. The value of [ECX+0x24] is not completly
controled
 by attacker but it seems it is possible to rotate it when value of AX at
0x62A7059E
 is below 2. If memory at [ECX+0x24] contains a important data for
RealPlayer it is
 possible to cause future security problems because of its overwrite with
value
 marked by attacker.



 III. IMPACT

 Successful exploitation may allow the attacker to run arbitrary code in
 context of user running Real*Player*.


 IV. POC CODE

 Due to severity of this bug i will not publish any poc codes.




best regards,
pb

-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close