OVERVIEW ======== RealPlayer is a popular multimedia player developed by RealNetworks. One of its features are RMP files, RealJukebox Metadata Packages. These are XML formatted files which may contain e.g. playlists, references to skin files (*.rjs), and information about related web pages. A directory traversal vulnerability exists in the player allowing an attacker to craft an RMP file which may upload files to arbitrary locations on the victim system. This leads to arbitrary code execution with the currently logged in user's privileges. RMP files are opened without confirmation if a web page uses e.g. JavaScript or an IFRAME tag to reference them, so it is possible to carry out the attack without further user interaction when the victim visits such web page. DETAILS ======= The RMP file may contain references to a number of files as tags. The file extension determines how RealPlayer handles the file, ie. as audio, video, or a skin file. If the filename ends with ".rjs", it's assumed to be a skin file and downloaded to a location under the current user's profile folder. For RealOne Player the exact location is %USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs An attacker may use "..\" sequences in the file name to cause the skin file to be placed outside this folder. With a specially crafted filename, an attacker can place an arbitrarily named file with arbitrary contents anywhere on the victim system. Overwriting files isn't possible as RealPlayer asks for confirmation. To run a desired program, an attacker can for instance place an HTML and EXE file on the victim system by using a single RMP file. The "related info" feature of RealPlayer can be used to automatically open the HTML file, which can then use JavaScript to launch the EXE file. A proof of concept RMP file was created to do this. Use of some unpatched Internet Explorer flaws are required for this exploit. Another way is simply to place an EXE or other program in the current user's Startup folder to be launched during the next login. The attacker needn't know the login name; a relative path can be used because the default folder for skins is already under the user's profile folder. AFFECTED VERSIONS ================= According to RealNetworks the flaw affects RealOne Player, RealOne Player v2, RealOne Enterprise Desktop, RealPlayer Enterprise. SOLUTION ======== RealNetworks was contacted on November 24, 2003. The vendor has produced updates to correct the flaw. Some unrelated vulnerabilities found by Mark Litchfield are also fixed. Information about downloading and applying the updates can be found here: http://service.real.com/help/faq/security/040123_player/EN/ CREDITS ======= The vulnerability was discovered by Jouko Pynnönen, Finland. -- Jouko Pynnönen Web: http://iki.fi/jouko/ jouko@iki.fi GSM: +358 41 5504555