Directory traversal in RealPlayer allows code execution
OVERVIEW
========
RealPlayer is a popular multimedia player developed by RealNetworks.
One of its features are RMP files, RealJukebox Metadata Packages. These
are XML formatted files which may contain e.g. playlists, references
to skin files (*.rjs), and information about related web pages.
A directory traversal vulnerability exists in the player allowing
an attacker to craft an RMP file which may upload files to arbitrary
locations on the victim system. This leads to arbitrary code execution
with the currently logged in user's privileges.
RMP files are opened without confirmation if a web page uses e.g.
JavaScript or an IFRAME tag to reference them, so it is possible to
carry out the attack without further user interaction when the victim
visits such web page.
DETAILS
=======
The RMP file may contain references to a number of files as <TRACK>
tags. The file extension determines how RealPlayer handles the file,
ie. as audio, video, or a skin file. If the filename ends with ".rjs",
it's assumed to be a skin file and downloaded to a location under the
current user's profile folder. For RealOne Player the exact location is
%USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs
An attacker may use "..\" sequences in the file name to cause the skin
file to be placed outside this folder. With a specially crafted
filename, an attacker can place an arbitrarily named file with
arbitrary contents anywhere on the victim system. Overwriting files
isn't possible as RealPlayer asks for confirmation.
To run a desired program, an attacker can for instance place an HTML
and EXE file on the victim system by using a single RMP file. The
"related info" feature of RealPlayer can be used to automatically open
the HTML file, which can then use JavaScript to launch the EXE file. A
proof of concept RMP file was created to do this. Use of some unpatched
Internet Explorer flaws are required for this exploit.
Another way is simply to place an EXE or other program in the current
user's Startup folder to be launched during the next login. The
attacker needn't know the login name; a relative path can be used
because the default folder for skins is already under the user's
profile folder.
AFFECTED VERSIONS
=================
According to RealNetworks the flaw affects RealOne Player, RealOne
Player v2, RealOne Enterprise Desktop, RealPlayer Enterprise.
SOLUTION
========
RealNetworks was contacted on November 24, 2003. The vendor has
produced updates to correct the flaw. Some unrelated vulnerabilities
found by Mark Litchfield are also fixed. Information about downloading
and applying the updates can be found here:
http://service.real.com/help/faq/security/040123_player/EN/
CREDITS
=======
The vulnerability was discovered by Jouko Pynnönen, Finland.
--
Jouko Pynnönen Web: http://iki.fi/jouko/
jouko@xxxxxx GSM: +358 41 5504555