[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 547/04 - eEye Security Bulletin


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 547/04 dated 05.10.04  Time: 14:50  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------


eEye Security Bulletin - RealPlayer pnen3260.dll Heap Overflow


eEye Digital Security has discovered a critical vulnerability in RealPlayer. The vulnerability 
allows a remote attacker to reliably overwrite heap memory with arbitrary data and execute 
arbitrary code in the context of the user who executed the player.

                  ESB-2004.0620 -- eEye Security Bulletin
                   RealPlayer pnen3260.dll Heap Overflow
                              4 October 2004

Product:                RealPlayer
                        RealOne Player
Publisher:              eEye Digital Security
Operating System:       Windows
                        Linux variants
                        Mac OS X
                        Mac OS
Impact:                 Execute Arbitrary Code/Commands
Access:                 Remote/Unauthenticated

- - --------------------------BEGIN INCLUDED TEXT--------------------

RealPlayer pnen3260.dll Heap Overflow

Release Date:
October 1, 2004

Date Reported:
August 09, 2004

High (Remote Code Execution)


Systems Affected:
RealPlayer 10.5 ( and earlier)
RealPlayer 10
RealPlayer 8 (Local Playback)
RealOne Player V2
RealOne Player V1

Mac Player:
RealPlayer 10 Beta for Mac OS X (Local Playback)
RealOne Player (Local Playback)

Linux Player:
Linux RealPlayer 10 (Local Playback)
Helix Player (Local Playback)

eEye Digital Security has discovered a critical vulnerability in RealPlayer. The vulnerability 
allows a remote attacker to reliably overwrite heap memory with arbitrary data and execute 
arbitrary code in the context of the user who executed the player.

This specific flaw exists within the pnen3260.dll file used by RealPlayer. By specially crafting
a malformed .rm movie file along with a SMIL file, a direct heap overwrite is triggered, and 
reliable code execution is then possible.

Technical Details:
The code in pnen3260.dll among other things is responsible for handling .rm files. The vulnerability
is triggered by setting the length field of the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF
this will cause an integer overflow which leads to a small block of memory being allocated, we call 
this movie from a SMIL file to handle the initial exception, eventually overflowing the buffer.

Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is available via the "Check for
Update" menu item under Tools on the RealPlayer menu bar.

Discovery: Karl Lynn

Related Links:
Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html

Joel Degan, Mark Dowd, Bruce Felker, Mike Puterbaugh, Las Vegas craps tables and the coolers.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be 
edited in any way without express consent of eEye. If you wish to reprint the whole or any part of 
this alert in any other medium excluding electronic medium, please email alert@xxxxxxxx for permission.

The information within this paper may change without notice. Use of this information constitutes 
acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard 
to this information. In no event shall the author be liable for any direct or indirect damages 
whatsoever arising out of or in connection with the use or spread of this information. Any use of 
this information is at the user's own risk.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of eEye for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0