Full Disclosure mailing list archives
iDEFENSE Security Advisory 06.10.04: Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability
From: idlabs-advisories () idefense com
Date: Thu, 10 Jun 2004 18:19:33 -0400
Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability iDEFENSE Security Advisory 06.10.04 www.idefense.com/application/poi/display?id=109&type=vulnerabilities June 10, 2004 I. BACKGROUND RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. For more information, visit http://www.real.com/ II. DESCRIPTION Remote exploitation of a buffer overflow in Version 10 of Real Networks' RealPlayer could allow execution of arbitrary commands. The vulnerability specifically exists in the handling of URLs with a large number of period (".") characters. By creating a specially crafted filename, it is possible to cause the execution of arbitrary code with the permissions of the user that attempts to access it. III. ANALYSIS One method of exploiting this vulnerability is to place a .RAM file (RealPlayer Presentation) containing a maliciously constructed URL on a web server and send an e-mail to the target with a link containing the file. It appears the vulnerability results from allocating an array of a fixed size and then iterating through the URL looking for periods. As each one is found, a pointer to it is stored in the array, and the current index is incremented. No check seems to be done for writes to addresses outside the array. IV. DETECTION RealNetworks' RealPlayer 10 is confirmed vulnerable. Previous versions of RealPlayer are also suspected to be vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this vulnerability. User awareness is the best defense against this class of attack. Users should be aware of the existence of such attacks and proceed with caution when following links from suspicious and/or unsolicited e-mail. VI. VENDOR RESPONSE Real Networks recommends updating affected applications to the latest version. Instructions for upgrading are contained in the vendor's security advisory located at: http://service.real.com/help/faq/security/040610_player/EN/ VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 04/14/2004 Exploit discovered by iDEFENSE 05/12/2004 Initial vendor notification 05/12/2004 iDEFENSE clients notified 05/13/2004 Vendor response 06/10/2004 Coordinated public disclosure IX. CREDIT Greg MacManus (iDEFENSE Labs) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice () idefense com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 06.10.04: Real Networks RealPlayer URL Parsing Buffer Overflow Vulnerability idlabs-advisories (Jun 10)