Bugtraq mailing list archives
Re: RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow
From: Göran Sandahl <goran () gsandahl net>
Date: Thu, 21 Apr 2005 23:13:58 +0200
Hi, Does this overflow affect versions of RealPlayer installable on mobile platforms too (like Windows PocketPC, CE, mobile et cetera)? Regards Göran Sandahl On Wednesday 20 April 2005 07:08, Piotr Bania wrote:
RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap
Overflow
by Piotr Bania <bania.piotr () gmail com>
http://pb.specialised.info
Original location:
http://pb.specialised.info/all/adv/real-ram-adv.txt
Severity: Critical - Remote code execution.
Software affected: (WINDOWS)
RealPlayer 10.5 (6.0.12.1040 - 1059)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
(MAC)
Mac RealPlayer 10 (10.0.0.305 - 331)
Mac RealOne Player
(LINUX)
Linux RealPlayer 10 (10.0.0 - 3)
Helix Player (10.0.0 - 3)
I. BACKGROUND
Real*Player* is surely one of the most popular media players
nowadays with over a 200 million of users worldwide.
II. DESCRIPTION
The problem exists when RealPlayer parses special crafted .ram
file. Normaly .ram file looks like that:
--CUT--
http://www.host.com/media/getmetafile.ram?pinfo=fid:2663610| \
bw:MULTI|mt:ro|mft:metafile|cr:1|refsite:276
--CUT--
this causes RealPlayer to contact "www.host.com" and try to
download and play selected clip. The problem exists when host
string is too long, like here:
--CUT--
http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>. \
.org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \
mft:metafile|cr:1|refsite:276
--CUT--
While parsing such crafted .ram file heap memory is being
corrupted at multiple locations, for example:
FIRST HEAP CORRUPTION:
----// SNIP SNIP //--------------------------------------------
(MODULE PNEN3260)
01053089 76 0D JBE SHORT pnen3260.01053098
0105308B 8B53 15 MOV EDX,DWORD PTR DS:[EBX+15]
0105308E 890496 MOV DWORD PTR DS:[ESI+EDX*4],EAX<---
01053091 8B43 15 MOV EAX,DWORD PTR DS:[EBX+15]
01053094 40 INC EAX
01053095 8943 15 MOV DWORD PTR DS:[EBX+15],EAX
----// SNIP SNIP //--------------------------------------------
THE FINAL HEAP OVERWRITE:
----// SNIP SNIP //---------------------------------------------
(MODULE PNCRT - PNCRT!strncpy+0x8b)
60A2FA59 8917 MOV DWORD PTR DS:[EDI],EDX
60A2FA5B 83C7 04 ADD EDI,4
60A2FA5E 49 DEC ECX
60A2FA5F ^74 AF JE SHORT PNCRT.60A2FA10
----// SNIP SNIP //---------------------------------------------
In the following code EDI points to heap location, and EDX
contains read bytes. Instruction at 60A2Fa59 writes value of
EDX register into the location where EDI points (heap memory),
this causes a heap memory corruption.
III. IMPACT
Successful exploitation may allow the attacker to run arbitrary
code in context of user running RealPlayer.
IV. VENDOR RESPONSE
I would like to acknowledge the cooperation and responsiveness
of the people at RealNetworks. Security patches are available at
http://www.real.com.
best regards,
Piotr Bania
-- // Göran Sandahl // email, goran () gsandahl net // web, http://gsandahl.net
Current thread:
- RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow Piotr Bania (Apr 20)
- Re: RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow Göran Sandahl (Apr 22)