|
|
|
|
| |
RealPlayer is a popular multimedia player developed by RealNetworks. One of its features are RMP files, RealJukebox Metadata Packages. These are XML formatted files which may contain e.g. playlists, references to skin files (*.rjs), and information about related web pages.
A heap overflow vulnerability inside the shared library allows a remote attacker to reliably overwrite heap memory with arbitrary data and execute arbitrary code in the context of the user opening a crafted rm media file. |
| |
Credit:
The information has been provided by Marc Maiffret - eEye Digital Security.
|
| |
Vulnerable Systems:
* RealPlayer 10.5 (6.0.12.1040 and earlier) for Windows
* RealPlayer 10 for Windows
* RealPlayer 8 (Local Playback) for Windows
* RealOne Player V2 for Windows
* RealOne Player V1 for Windows
* RealPlayer 10 Beta for Mac OS X (Local Playback)
* RealOne Player for Mac OS X (Local Playback)
* Linux RealPlayer 10 (Local Playback)
* Helix Player for Linux (Local Playback)
Immune Systems:
* Updated versions of all products through the automatic update mechanism
By specially crafting a malformed .rm movie file along with a SMIL file, a direct heap overwrite is triggered, and reliable code execution is then possible. This is possible due to a problem in the pnen3260.dll library used by the various affected products.
The code in pnen3260.dll among other things is responsible for handling .rm files. The vulnerability is triggered by setting the length field of the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF. This will cause an integer overflow which leads to a small block of memory being allocated. The movie is called from a SMIL file to handle the initial exception, eventually overflowing the buffer.
Vendor Status:
RealNetworks have released a fix for the vulnerability. It can be obtained from their automatic update system. In order to access it, the Tools menu contains the option to check for a new update.
|
|
|
|
|
|
|
|
|
|
