|
|
| |
| Lack of proper length validation in RealPlayer's data packet handling allows attackers to cause the program to execute arbitrary code using a buffer overflow. |
| |
Credit:
The information has been provided by Eeye.
The vendor advisory can be found at: http://service.real.com/help/faq/security/051110_player/EN/
|
| |
Vulnerable Systems:
* RealPlayer version 10.5 (6.0.12.1040-1235) for Windows
* RealPlayer version 10 for Windows
* RealOne Player v2 for Windows
* RealOne Player v1 for Windows
* RealPlayer version 8 for Windows
* RealPlayer Enterprise for Windows
* RealPlayer 10 for Mac
* RealPlayer 10 (10.0.0 - 5) for Linux
* Helix Player (10.0.0 - 5) for Linux
This specific flaw exists in the first data packet contained in a Real Media file. By specially crafting a malformed .rm movie file, a direct stack overwrite is triggered, and reliable code execution is then possible.
The vulnerability is triggered by setting the application specific length field of the [data packet + 1] to 0x80 - 0xFF this will cause a stack overflow. The value is sign-extended and passed as the length to memcpy.
Vendor Status:
The vendor has issued a patch: http://service.real.com/help/faq/security/051110_player/EN/
CVE Information:
CAN-2005-2629
|
|
|
|
|
|
|
|
