|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547
|
| |
Vulnerable Systems:
* RealNetworks' RealPlayer and HelixPlayer version 10.5-GOLD
The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows.
924 HX_RESULT
925 SmilTimeValue::parseWallClockValue(REF(const char*) pCh)
926 {
...
957 char buf[10]; /* Flawfinder: ignore */
...
962 while (*pCh)
963 {
...
972 else if (isspace(*pCh) || *pCh == '+' || *pCh == '-' || *pCh == 'Z')
973 {
974 // this will find the last +, - or Z... which is what we want.
975 pTimeZone = pCh;
976 }
...
982 ++pCh;
983 }
...
1101 if (pTimePos)
1102 {
1103 //HH:MM...
....
1133 if (*(pos-1) == ':')
1134 {
....
1148 if (*(pos-1) == '.')
1149 {
1150 // find end.
1151 UINT32 len = 0;
1152 if (pTimeZone)
1153 {
1154 len = pTimeZone - pos;
1155 }
1156 else
1157 {
1158 len = end - pos;
1159 }
1160 strncpy(buf, pos, len); /* Flawfinder: ignore */
The stack buffer is declared to be 10 bytes on line 957. You can see that it has a comment which will cause the FlawFinder program to ignore this buffer.
The loop, which begins on line 962, runs through the parameter to the function looking for characters that denote different sections of the time format. When it encounters white space, or the +, -, or Z characters it will record the location for later use. If a time was located and it contains both a colon and a period the vulnerable code will be reached.
The length of data to copy into the stack buffer is calculated either on line 1154 or line 1158 depending on whether or not a timezone is present. Neither calculations take into consideration the constant length of the 'buf' buffer and therefore a stack-based buffer overflow can occur on line 1160. Again, notice that this unsafe use of strncpy() is also marked with a FlawFinder ignore comment.
Analysis:
Exploitation requires that an attacker persuade a user to supply RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For example, this can be accomplished by convincing them to visit a malicious web page.
The data that is used to overflow the buffer is quite limited in the range of characters that are allowed. However, given the ease of address space manipulation within web browsers, exploitation is not substantially impacted by this limitation.
The RealPlayer plug-in can be referenced within a web browser by using CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA CLSID.
Workaround:
For Windows systems, setting the kill-bit for the associated CLSID, despite greatly reducing the media player's functionality, will mitigate exploitation. It should be noted that the CLSID listed may not be the only CLSID allowing access to the vulnerable code.
Vendor response:
RealNetworks has addressed this vulnerability by releasing fixed versions of their software.
RealNetworks has not provided iDefense with any links referring to updated packages or advisories. Installing the latest version from their web site will address the vulnerability.
CVE Information:
CVE-2007-3410
Disclosure Timeline:
10/02/2006 - Initial vendor notification
10/03/2006 - Initial vendor response
06/26/2007 - Public disclosure
|
|
|
|
|
