|
|
|
|
| |
Credit:
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=837
|
| |
Vulnerable Systems:
* RealPlayer version 11 on Windows
* RealPlayer 10.1.0.3830 for Linux
The vulnerability specifically exists in the handling of the 'chunked' Transfer-Encoding method. This method breaks the file the server is sending into 'chunks'. For each chunk, the server first sends the length of the chunk in hexadecimal, followed by the chunk data. This is repeated until there are no more chunks. The server then sends a chunk length of zero (0) indicating the end of the transfer. When processing these chunks, an integer overflow occurs, which results in a heap overflow. This leads to the execution of arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user executing Real Player.
To be successful, an attacker must persuade a user to use Real Player to view specially crafted media. This could be accomplished via a Web page using the RealPlayer plug-in or a direct link to the malicious media.
It appears that the RealPlayer plug-in for Firefox uses the browser to download files via HTTP. The RealPlayer chunked encoding processing is not used in this scenario. However, RealPlayer does provide a right-click context menu to open the document within RealPlayer itself. As such, using Firefox does not prevent exploitation altogether.
Patch Availability:
RealNetworks has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the following URL:
http://service.real.com/realplayer/security/01192010_player/en/
CVE Information:
CVE-2009-4243
Disclosure Timeline:
01/11/2008 Initial Contact
01/11/2009 Initial Response
02/01/2010 Coordinated public disclosure.
|
|
|
|
|
