[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 476/05 - AusCERT Security Advisory: AA-2005.010 - RealPlayer, RealOne Player, Rhapsody



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 476/05 dated 20.06.05  Time: 14:15  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

AusCERT Security Advisory: AA-2005.010 - RealPlayer, RealOne Player, Rhapsody 
and Helix Player multiple vulnerabilities

Detail
====== 

Four vulnerabilities have been reported in RealPlayer, RealOne Player, 
Rhapsody and Helix Player that potentially allow remote attackers to 
execute arbitrary code with minimal user interaction. Different 
operating systems and player versions are affected by each 
vulnerability, 


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2005.010                  

           RealPlayer, RealOne Player, Rhapsody and Helix Player
                         multiple vulnerabilities
                               24 June 2005
- - ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:           RealPlayer 10.5 and prior
                   RealOne Player v2 and prior
                   RealPlayer Enterprise
                   Rhapsody 3 and prior
                   Helix Player 10.0.4 and prior
Operating System:  Windows
                   Mac OS
                   Linux variants
Impact:            Execute Arbitrary Code/Commands
                   Overwrite Arbitrary Files
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-1277


OVERVIEW:

	Four vulnerabilities have been reported in RealPlayer, RealOne Player, 
	Rhapsody and Helix Player that potentially allow remote attackers to 
	execute arbitrary code with minimal user interaction. Different 
	operating systems and player versions are affected by each 
	vulnerability, as described in DETAILS below.


IMPACT:

	Vulnerabilities 1, 2 and 3 each allow a remote attacker to execute 
	arbitrary code with the privileges of the user running the player. 
	Vulnerability 2 may also be used to overwrite arbitrary files. 

	The impact of vulnerability 4 has not been disclosed, but it may 
	potentially allow execution of arbitrary code in the "Local Machine" 
	zone, with the privileges of the user running the player.

	Note that in a default install the user's web browser will not prompt 
	the user before opening RealMedia files, so the vulnerabilities may
	be exploited with minimal user interaction.


MITIGATION:

	RealNetworks has released updates or new versions for each of the 
	affected products. These are available at the URLs below.

	Windows RealPlayer and RealOne Player:
	http://service.real.com/help/faq/security/050623_player/EN/player.rnx

	RealPlayer Enterprise:
	http://service.real.com/help/faq/security/security062305.html
	
	Mac RealPlayer:
	http://www.real.com/upgrade/mac_upgrade.html
	
	Linux RealPlayer:
	http://www.real.com/linux

	Helix Player:
	http://player.helixcommunity.org/downloads/


DETAILS:

	1. A specially crafted RealMedia file can be used by a remote attacker 
	   to cause a heap overflow in the player, allowing execution of 
	   arbitrary code.[2] CVE number CAN-2005-1277 has been assigned to 
	   this vulnerability. Affected versions are as follows:

		Windows:
		RealPlayer versions 8, 10, 10.5 build 6.0.12.1069 and prior
		RealOnePlayer v2 and prior
		RealPlayer Enterprise

		Mac OS:
		RealPlayer 10 build 10.0.0.331 and prior
		RealOne Player

		Linux:
		RealPlayer 10 build 10.0.4 and prior
		Helix Player 10.0.4 and prior

	2. A remote attacker can supply a specially crafted MP3 file allowing
	   execution of an ActiveX control on the user's machine, or the
	   overwriting of arbitrary files. Affected versions:

		Windows:
		RealPlayer versions 10, 10.5 build 6.0.12.1069 and prior
		RealOnePlayer v2 and prior

	3. A malicious AVI file can be used by a remote attacker to cause a
	   buffer overflow in vidplin.dll, allowing execution of arbitrary
	   code.[3] Affected versions are as follows:

		Windows:
		RealPlayer versions 8, 10, 10.5 build 6.0.12.1069 and prior
		RealOnePlayer v2 and prior
		RealPlayer Enterprise
		Rhapsody 3 build 0.1006 and prior

	4. On Windows systems, depending on Internet Explorer configuration, 
	   a malicious website may be able to cause an HTML file to be created
	   on the user's system then reference this local HTML in an RM file.
	   The default configuration of recent IE versions is not vulnerable 
	   to this issue. 

		Windows:
		RealPlayer versions 8, 10, 10.5 build 6.0.12.1069 and prior
		RealOnePlayer v2 and prior
		RealPlayer Enterprise


REFERENCES:

	[1] RealNetworks security advisory
	    http://service.real.com/help/faq/security/050623_player/EN/

	[2] iDEFENSE advisory for vulnerability 1
	    http://www.idefense.com/application/poi/display?id=250

	[3] eEye advisory for vulnerability 3
	    http://www.eeye.com/html/research/advisories/AD200505.html


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
iQCVAwUBQrtlXih9+71yA2DNAQJtqgP9GfTxYExPH9hkXiE2DcmRhoTPI9D2rYBW
O23Uv7iZUFXOki3SY/qND/nIyQkp8Cu7I+5pyniVmTnkwp7EcQ72d8XmM3hXQTpY
TyYpFB1rkWD6/PktCXg8IUo/rbTwcnNvByOvm7+DWen6DGeWeAxR3RNLH/Bh2vjI
BL2Fsq7ygWw=
=N3hl
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of AusCERT for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQrwG34pao72zK539AQG9VQP8D5VlObi+V/GuKvmj3ynHgnsjz2l/F91Z
/koIb7x6ONj7v/mlhZNgFt0xmO/FbhFlme3sVPS+owfe1HjgIAqmDFmHh0Y+4Pew
u0FKZly6/AG8M9ZRtfUvARf6dgQFdxodz6qFjdyrty7nt/ZDVhGeCSFv1fl0Q9Sz
L7KkFWWi3Ps=
=DsmA
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________