RealNetworks fails to address Cross-Site Scripting in RealOne Player ==================================================================== Title: RealNetworks fails to address Cross-Site Scripting in RealOne Date: Tuesday, January 06, 2004 Software: RealOne Player Vendor: RealNetworks Patch: N/A Author: Arman Nayyeri, arman-n[at]Phreaker[dot]net Description: ============ The security update August 19 ,2003 fails to address the Cross-Site scripting vulnerability that has been founded later in .SMI file in RealOne player. First time, when I research about SMI files in realone I test javascript: protocol and I wonder that how this simple vulnerability exists in realone, but when I search the web I see that this vulnerability has already been discovered. So I download the latest version of realone and work on it, and after an hour, I have an exploit that works perfect in the new realone player. I replace javascript: with file:javascript: in the SMI file.(heh!) I don't know how RealNetworks say: "all security vulnerabilities are taken very seriously by RealNetworks" I'm waiting for the next patch to come and have some fun! I don't want to annoy realnetworks but it's funny that their vulnerabilities will never exploited and used for attacks, because RealNetworks keep sayin': "While we have not received reports of anyone actually being attacked with this exploit" so,I recommend attack with my exploit (AT YOUR OWN RISK!) to your friend and say to he/she to report this attack to realnetworks to see what realnetworks will write! ok, back to business; we see that realone easily allow file:javascript: to be executed in the security zone of last page that you loaded into it, that can be "My Computer" or "Local Intranet" zone too. Exploit: ======== I use RealNetworks firstrun.smi as a template for my work and use jelmer's adodb.stream for executing of exe file! as easy as this! but there is so much problems for me to make the exploit to work! because when I use file: before javascript: this things happens: 1.we can't use """ and "<" and ">" because of SMI file TAGs 2.in URL all spaces become %20 and prevent script to be executed correctly 3.in URL all "/"s become "\"s 4.we can't directly use "file:javascript:[JSCODE]" because of last two problems so I use "file:javascript:document.write('[JSCODE]')". and translate all of the above bad characters to "\u[unicode]", and also our URL that contains jscode must be less that 512(almost) bytes. I load res: and then "file:javascript:document.write('[adodb.stream code]')". this is the exploit that I provided (harmless .exe): http://www.freewebs.com/arman2/arealexploit.htm and also there is a zip file that contains the SMI file, if you want to know what code is in .SMI! and also this exploit will work even if active scripting is disabled! and sorry for my bad english! Exploit Tested On ================= RealOne Player (win32) Version 2.0 Helix Powered Build 6.0.11.868 And also work on RealOne Player (win32) Version 1.0 Special Thanks ============== Jelmer said: "I am pretty sure there are still some *very serious* issues out there with a few leading apps, like sun java winamp realplayer and probably icq" as you can see, realplayer is one of them! next one, likely winamp!(5.0 with many new capabilities!WOW!) Do I discover more vulnerabilities? =================================== [STILL] YOU AIN'T SEEN NOTHING YET! Disclaimer: =========== Arman Nayyeri is not responsible for the misuse of the information provided in this advisory. The opinions expressed are my own and not of any company. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information is at the user's own risk. ~~~~~~~~~~~~~~ Arman Nayyeri MCP, MCSA 2000, MCSE 2000 Iran