Title: ==== Real player resource exhaustion Vulnerability Credit: ====== Name: Akshaysinh Vaghela Company/affiliation: Cyberoam Technologies Private Limited Website: www.cyberoam.com CVE: ===== CVE-2013-3299 Date: ==== 2013-04-23 CL-ID: ==== CRD-2013-03 Vendor: ====== Real Networks creates products and services that make it easier for people to access and enjoy digital media on the devices and platforms they choose to use. Product: ======= Real Player: The first application that allows enables people to easily download online video, transfer it to a favorite device and share it with friends via Facebook and Twitter. Product link: http://in.real.com/?mode=rp Abstract: ======= Cyberoam Threat Research Labs discovered a Resource exhaustion Vulnerability in Real Player <= 16.0.2.32 . Report-Timeline: ============ 2013-04-23: Vendor notification 2013-05-23: Vendor's Last Response 2013-06-03: Notification Follow-up Date 2013-00-00: Vendor Fix/Patch 2013-06-04: Public Disclosure Affected Version: ============= Ver ( <= 16.0.2.32 ) Exploitation-Technique: =================== Network Severity Rating: =================== 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C) Details: ======= Real Networks Real Player is prone to Resource exhaustion vulnerability. When processing specially crafted HTML file, Real Player uses a value from the file to control a loop operation. Real player fails to validate the value before using it, which leads to DoS / Crash. Caveats / Prerequisites: ====================== The attacker needs to entice victims to perform an action in order to exploit this vulnerability. Proof Of Concept: ================ http://i40.tinypic.com/2mg1gt3.jpg http://i39.tinypic.com/5phchx.png POC Exploit code: Risk: ===== The security risk of the Resource exhaustion Vulnerability is estimated as High. Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Any modified copy or reproduction, including partially usages, of this file requires authorization from Cyberoam Vulnerability Research Team. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Cyberoam Vulnerability Research Team. The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, Cyberoam may distribute vulnerability protection filters to its customers' IPS devices through the IPS upgrades. If a vendor fails to respond after five business days, Cyberoam Vulnerability Research Team may issue a public advisory disclosing its findings fifteen business days after the initial contact. If a vendor response is received within the timeframe outlined above, Cyberoam Vulnerability Research Team will allow the vendor 6-months to address the vulnerability with a patch. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the Cyberoam Vulnerability Research Team will publish a limited advisory to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately. Cyberoam Vulnerability Research Team will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Cyberoam Vulnerability Research Team will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. Before public disclosure of a vulnerability, Cyberoam Vulnerability Research Team may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base.