Hi, Does this overflow affect versions of RealPlayer installable on mobile platforms too (like Windows PocketPC, CE, mobile et cetera)? Regards Göran Sandahl On Wednesday 20 April 2005 07:08, Piotr Bania wrote: > RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap > Overflow > by Piotr Bania <bania.piotr@xxxxxxxxx> > http://pb.specialised.info > > Original location: > http://pb.specialised.info/all/adv/real-ram-adv.txt > > > Severity: Critical - Remote code execution. > > Software affected: (WINDOWS) > RealPlayer 10.5 (6.0.12.1040 - 1059) > RealPlayer 10 > RealOne Player v2 > RealOne Player v1 > RealPlayer 8 > RealPlayer Enterprise > > (MAC) > Mac RealPlayer 10 (10.0.0.305 - 331) > Mac RealOne Player > > (LINUX) > Linux RealPlayer 10 (10.0.0 - 3) > Helix Player (10.0.0 - 3) > > > > > > I. BACKGROUND > > Real*Player* is surely one of the most popular media players > nowadays with over a 200 million of users worldwide. > > II. DESCRIPTION > > The problem exists when RealPlayer parses special crafted .ram > file. Normaly .ram file looks like that: > > --CUT-- > http://www.host.com/media/getmetafile.ram?pinfo=fid:2663610| \ > bw:MULTI|mt:ro|mft:metafile|cr:1|refsite:276 > --CUT-- > > this causes RealPlayer to contact "www.host.com" and try to > download and play selected clip. The problem exists when host > string is too long, like here: > > --CUT-- > http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>. \ > .org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \ > mft:metafile|cr:1|refsite:276 > --CUT-- > > While parsing such crafted .ram file heap memory is being > corrupted at multiple locations, for example: > > FIRST HEAP CORRUPTION: > > ----// SNIP SNIP //-------------------------------------------- > (MODULE PNEN3260) > 01053089 76 0D JBE SHORT pnen3260.01053098 > 0105308B 8B53 15 MOV EDX,DWORD PTR DS:[EBX+15] > 0105308E 890496 MOV DWORD PTR DS:[ESI+EDX*4],EAX<--- > 01053091 8B43 15 MOV EAX,DWORD PTR DS:[EBX+15] > 01053094 40 INC EAX > 01053095 8943 15 MOV DWORD PTR DS:[EBX+15],EAX > ----// SNIP SNIP //-------------------------------------------- > > THE FINAL HEAP OVERWRITE: > > ----// SNIP SNIP //--------------------------------------------- > (MODULE PNCRT - PNCRT!strncpy+0x8b) > 60A2FA59 8917 MOV DWORD PTR DS:[EDI],EDX > 60A2FA5B 83C7 04 ADD EDI,4 > 60A2FA5E 49 DEC ECX > 60A2FA5F ^74 AF JE SHORT PNCRT.60A2FA10 > ----// SNIP SNIP //--------------------------------------------- > > > In the following code EDI points to heap location, and EDX > contains read bytes. Instruction at 60A2Fa59 writes value of > EDX register into the location where EDI points (heap memory), > this causes a heap memory corruption. > > > III. IMPACT > > Successful exploitation may allow the attacker to run arbitrary > code in context of user running RealPlayer. > > IV. VENDOR RESPONSE > > I would like to acknowledge the cooperation and responsiveness > of the people at RealNetworks. Security patches are available at > http://www.real.com. > > > > best regards, > Piotr Bania -- // Göran Sandahl // email, goran@xxxxxxxxxxxx // web, http://gsandahl.net
