<<< Date Index >>>     <<< Thread Index >>>

Re: RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow



Hi, 

Does this overflow affect versions of RealPlayer installable on mobile 
platforms too (like Windows PocketPC, CE, mobile et cetera)? 

Regards
Göran Sandahl

On Wednesday 20 April 2005 07:08, Piotr Bania wrote:
>       RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap
>       Overflow
>       by Piotr Bania <bania.piotr@xxxxxxxxx>
>       http://pb.specialised.info
>
>       Original location:
>       http://pb.specialised.info/all/adv/real-ram-adv.txt
>
>
>       Severity:               Critical - Remote code execution.
>
>       Software affected:      (WINDOWS)
>                               RealPlayer 10.5 (6.0.12.1040 - 1059)
>                               RealPlayer 10
>                               RealOne Player v2
>                               RealOne Player v1
>                               RealPlayer 8
>                               RealPlayer Enterprise
>
>                               (MAC)
>                               Mac RealPlayer 10 (10.0.0.305 - 331)
>                               Mac RealOne Player
>
>                               (LINUX)
>                               Linux RealPlayer 10 (10.0.0 - 3)
>                               Helix Player (10.0.0 - 3)
>
>
>
>
>
>       I.  BACKGROUND
>
>       Real*Player* is surely one of the most popular media players
>       nowadays  with over a 200 million of users worldwide.
>
>       II. DESCRIPTION
>
>       The problem exists when RealPlayer parses special crafted .ram
>       file. Normaly .ram file looks like that:
>
>       --CUT--
>       http://www.host.com/media/getmetafile.ram?pinfo=fid:2663610| \
>       bw:MULTI|mt:ro|mft:metafile|cr:1|refsite:276
>       --CUT--
>
>       this causes RealPlayer to contact "www.host.com" and try to
>       download and play selected clip. The problem exists when host
>       string is too long, like here:
>
>       --CUT--
>       http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>.   \
>       .org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \
>       mft:metafile|cr:1|refsite:276
>       --CUT--
>
>       While parsing such crafted .ram file heap memory is being
>       corrupted at multiple locations, for example:
>
>       FIRST HEAP CORRUPTION:
>
>       ----// SNIP SNIP //--------------------------------------------
>       (MODULE PNEN3260)
>       01053089   76 0D            JBE SHORT pnen3260.01053098
>       0105308B   8B53 15          MOV EDX,DWORD PTR DS:[EBX+15]
>       0105308E   890496           MOV DWORD PTR DS:[ESI+EDX*4],EAX<---
>       01053091   8B43 15          MOV EAX,DWORD PTR DS:[EBX+15]
>       01053094   40               INC EAX
>       01053095   8943 15          MOV DWORD PTR DS:[EBX+15],EAX
>       ----// SNIP SNIP //--------------------------------------------
>
>       THE FINAL HEAP OVERWRITE:
>
>       ----// SNIP SNIP //---------------------------------------------
>       (MODULE PNCRT - PNCRT!strncpy+0x8b)
>       60A2FA59   8917             MOV DWORD PTR DS:[EDI],EDX
>       60A2FA5B   83C7 04          ADD EDI,4
>       60A2FA5E   49               DEC ECX
>       60A2FA5F  ^74 AF            JE SHORT PNCRT.60A2FA10
>       ----// SNIP SNIP //---------------------------------------------
>
>
>       In the following code EDI points to heap location, and EDX
>       contains read   bytes. Instruction at 60A2Fa59 writes value of
>       EDX register into the   location where EDI points (heap memory),
>       this causes a heap memory corruption.
>
>
>       III. IMPACT
>
>       Successful exploitation may allow the attacker to run arbitrary
>       code in context of user running RealPlayer.
>
>       IV.  VENDOR RESPONSE
>
>       I would like to acknowledge the cooperation and responsiveness
>       of the people at RealNetworks. Security patches are available at
> http://www.real.com.
>
>
>
> best regards,
> Piotr Bania

-- 
// Göran Sandahl
// email, goran@xxxxxxxxxxxx
// web,   http://gsandahl.net