all things security

realplayer-heap-corruption-adv.txt

realplayer-heap-corruption-adv.txt
Posted Oct 26, 2007
Authored by Piotr Bania | Site piotrbania.com

RealNetworks RealPlayer/RealOne Player/Helix Player all suffer from a heap corruption vulnerability in the handling of specially crafted .mov files. Successful exploitation may lead to code execution.

tags | advisory, code execution
MD5 | e2ef19fcac9143f960d0e4730c0cc729

realplayer-heap-corruption-adv.txt

Change Mirror Download
 RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Corruption
by Piotr Bania <bania.piotr@gmail.com>
http://www.piotrbania.com



Original url (and formatting):
http://www.piotrbania.com/all/adv/realplayer-heap-corruption-adv.txt

Severity: Important/Critical - Potencial remote code execution.

Software affected: tested on RealPlayer Version 10.5(newest?) + Harmony
Technology
Build: 6.0.12.1483


Timeline: 02/09/2006 - Advisory sent to RealNetworks
05/09/2006 - Initial vendor response
25/10/2007 - Advisory released




I. BACKGROUND

Real*Player* is surely one of the most popular media players nowadays
with over a 200 million of users worldwide.


II. DESCRIPTION


The problem exists when Real*Player* parses a special crafted .mov file.
Here is the vulnerable code:


--//- snip ----//-----------------------------------------------------

62A70598 8A47 05 MOV AL,BYTE PTR DS:[EDI+5] ; al=controled
by attacker
62A7059B 8A67 04 MOV AH,BYTE PTR DS:[EDI+4] ; ah=controled
by attacker
62A7059E 66:3B86 AE000000 CMP AX,WORD PTR DS:[ESI+AE] ; below 2?
62A705A5 73 11 JNB SHORT 62A705B8 ; not signed
compare, assume:taken!
62A705A7 8B8E B0000000 MOV ECX,DWORD PTR DS:[ESI+B0]
62A705AD 25 FFFF0000 AND EAX,0FFFF
62A705B2 66:8B0441 MOV AX,WORD PTR DS:[ECX+EAX*2]
62A705B6 EB 05 JMP SHORT 62A705BD
62A705B8 B8 FFFF0000 MOV EAX,0FFFF ; eax=0xFFFF
62A705BD 33D2 XOR EDX,EDX ; edx=0
62A705BF 33C9 XOR ECX,ECX ; ecx=0

62A705C1 8A77 06 MOV DH,BYTE PTR DS:[EDI+6] ; dh=controled
by attacker
62A705C4 8A6F 08 MOV CH,BYTE PTR DS:[EDI+8] ; ch=controled
by attacker
62A705C7 8A57 07 MOV DL,BYTE PTR DS:[EDI+7]` ; dl=controled
by attacker
62A705CA 81E1 FFFF0000 AND ECX,0FFFF ; leave only CX
value
62A705D0 C1E2 10 SHL EDX,10 ; rotation
high(edx)<-dx
62A705D3 0BD1 OR EDX,ECX ; power up the
bits given by ecx
62A705D5 33C9 XOR ECX,ECX ; ecx=0
62A705D7 8A4F 09 MOV CL,BYTE PTR DS:[EDI+9] ; cl=controled
by attacker
62A705DA 0BD1 OR EDX,ECX ; power up some
bits...
62A705DC 8B8E 8A000000 MOV ECX,DWORD PTR DS:[ESI+8A]
62A705E2 85C9 TEST ECX,ECX ; ecx=0? =>
take the jump
62A705E4 74 0F JE SHORT 62A705F5
62A705E6 3956 48 CMP DWORD PTR DS:[ESI+48],EDX
62A705E9 76 0A JBE SHORT 62A705F5
62A705EB C786 8E000000 01>MOV DWORD PTR DS:[ESI+8E],1

62A705F5 8956 48 MOV DWORD PTR DS:[ESI+48],EDX ; store edx
62A705F8 8B8E 8A000000 MOV ECX,DWORD PTR DS:[ESI+8A] ; ecx = 0
62A705FE 41 INC ECX ; ecx++
62A705FF 25 FFFF0000 AND EAX,0FFFF ; leave the AX
value (0xffff)
62A70604 898E 8A000000 MOV DWORD PTR DS:[ESI+8A],ECX ; [esi+0x8a]=1
62A7060A 8BC8 MOV ECX,EAX ; ecx=0xffff
62A7060C C1E0 05 SHL EAX,5 ; eax=0x1FFFE0
(rotated)
62A7060F 2BC1 SUB EAX,ECX ; eax-0xffff =
0x1EFFE1
62A70611 8B8E 9A000000 MOV ECX,DWORD PTR DS:[ESI+9A] ; ecx=heap mem
62A70617 D1E0 SHL EAX,1 ;
eax=0x003DFFC2
62A70619 03C8 ADD ECX,EAX ; ecx=ecx+eax
(memory location)
62A7061B 8379 36 00 CMP DWORD PTR DS:[ECX+36],0
62A7061F 75 1F JNZ SHORT 62A70640
62A70621 8951 24 MOV DWORD PTR DS:[ECX+24],EDX ; ** corruption
**

--//- snip ----//-----------------------------------------------------


The instruction at 0x62A70621 stores the value of EDX register (controled
by attacker)
to the location at [ECX+0x24]. The value of [ECX+0x24] is not completly
controled
by attacker but it seems it is possible to rotate it when value of AX at
0x62A7059E
is below 2. If memory at [ECX+0x24] contains a important data for
RealPlayer it is
possible to cause future security problems because of its overwrite with
value
marked by attacker.



III. IMPACT

Successful exploitation may allow the attacker to run arbitrary code in
context of user running Real*Player*.


IV. POC CODE

Due to severity of this bug i will not publish any poc codes.




best regards,
pb

--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com - Key ID: 0xBE43AC33
--------------------------------------------------------------------

- "The more I learn about men, the more I love dogs."


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close