Directory traversal in RealPlayer allows code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Directory traversal in RealPlayer allows code execution
From: Jouko Pynnonen <jouko@xxxxxx>
Date: Tue, 10 Feb 2004 17:08:37 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4i


OVERVIEW
========

RealPlayer is a popular multimedia player developed by RealNetworks. 
One of its features are RMP files, RealJukebox Metadata Packages. These 
are XML formatted files which may contain e.g. playlists, references 
to skin files (*.rjs), and information about related web pages.

A directory traversal vulnerability exists in the player allowing 
an attacker to craft an RMP file which may upload files to arbitrary 
locations on the victim system. This leads to arbitrary code execution 
with the currently logged in user's privileges.

RMP files are opened without confirmation if a web page uses e.g. 
JavaScript or an IFRAME tag to reference them, so it is possible to 
carry out the attack without further user interaction when the victim 
visits such web page.



DETAILS
=======

The RMP file may contain references to a number of files as <TRACK> 
tags. The file extension determines how RealPlayer handles the file, 
ie. as audio, video, or a skin file. If the filename ends with ".rjs", 
it's assumed to be a skin file and downloaded to a location under the 
current user's profile folder. For RealOne Player the exact location is

  %USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs

An attacker may use "..\" sequences in the file name to cause the skin 
file to be placed outside this folder. With a specially crafted 
filename, an attacker can place an arbitrarily named file with 
arbitrary contents anywhere on the victim system. Overwriting files 
isn't possible as RealPlayer asks for confirmation.

To run a desired program, an attacker can for instance place an HTML 
and EXE file on the victim system by using a single RMP file. The 
"related info" feature of RealPlayer can be used to automatically open 
the HTML file, which can then use JavaScript to launch the EXE file. A 
proof of concept RMP file was created to do this. Use of some unpatched 
Internet Explorer flaws are required for this exploit.

Another way is simply to place an EXE or other program in the current 
user's Startup folder to be launched during the next login. The 
attacker needn't know the login name; a relative path can be used 
because the default folder for skins is already under the user's 
profile folder.



AFFECTED VERSIONS
=================

According to RealNetworks the flaw affects RealOne Player, RealOne 
Player v2, RealOne Enterprise Desktop, RealPlayer Enterprise.



SOLUTION
========

RealNetworks was contacted on November 24, 2003. The vendor has 
produced updates to correct the flaw. Some unrelated vulnerabilities 
found by Mark Litchfield are also fixed. Information about downloading 
and applying the updates can be found here:

http://service.real.com/help/faq/security/040123_player/EN/



CREDITS
=======

The vulnerability was discovered by Jouko Pynnönen, Finland.




-- 
Jouko Pynnönen          Web: http://iki.fi/jouko/
jouko@xxxxxx            GSM: +358 41 5504555

Prev by Date: Possible new cross zone scripting in IE
Next by Date: Re: HelpCtr - allow open any page or run
Previous by thread: Re: Possible new cross zone scripting in IE
Next by thread: XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal
Index(es):
- Date
- Thread