OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: Fri Nov 22 2002 - 11:48:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Multiple Buffer Overruns RealOne / RealPlayer / RealOne Enterprise
    Desktop
    Systems Affected: Windows All
    Severity: Critical
    Category: Remote Buffer Overrun
    Vendor URL: http://www.real.com/
    Author: Mark Litchfield (markngssoftware.com)
    Date: 22nd November 2002
    Advisory number: #NISR22112002

    Description
    ***********
    RealOne / RealPlayer is one of the most widely used products for internet
    media delivery. According to Real, there are currently around 115 million
    users worlwide of these products. RealOne is the updated version of
    RealPlayer. Both suffer from multiple overrun issues.

    Details
    *******
    This advisory details three remotely exploitable overruns, two being heap
    based overflows and the other being a stack based overflow. On exploitation
    of these overruns any supplied code would execute in the security context of
    the logged on user.

    1) By following a link to a SMIL file (Synchronized Multimedia Integration
    Language), RealPlayer will automatically download the file in an attempt to
    play its content. By suppling an overly long paramter within the SMIL file
    a heap overflow would occur in RealPlay.exe. According to Real, they have
    fixed the issue by fixing the player status code to handle the cases where
    there are large number of characters in the metadata of a smil file.

    2) By suppling an overly long rtsp:// filename parameter, for example
    within a .m3u file, when a link was followed, Real again would download the
    file. When play is selected a heap overflow ocurrs in RealPlay.exe This
    has apparently been fixed by Real by improving the robustness of URL
    handling in this portion of the product.

    3) Again, referring to number two if the 'victim' were to download the file
    with a large filename (whether it was on local/rtsp or an http url) Real
    Player would access violate when performing the following: If the user were
    to right click in Now Playing and select "Edit Clip info" or right click in
    "Now Playing" and "Select copy to my Library". In this particular instance
    a stack overflow would occur in RealPlayer.

    Fix Information
    ***************
    NGSSoftware alerted Real to these problems on the 1st November 2002.
    NGSSoftware highly recommend installing the patch found at
    http://service.real.com/help/faq/security/bufferoverrun_player.html.
    Alternatively if you Open RealPlayer - Help - About Real Player, you will
    notice a Check For Updates feature. Select this.

    In Real's own advisory they omit the fact that RealOne Enterprise Desktop is
    also vulnerable, but only to issues 2 & 3.

    Further Information
    *******************
    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    http://www.ngssoftware.com/papers/ntbufferoverflow.html
    http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    http://www.ngssoftware.com/papers/unicodebo.pdf