RealOne / RealPlayer are one of the most widely used products for internet media delivery. According to Real, there are currently around 115 million users worldwide. RealOne is the updated version of RealPlayer. Both suffer from multiple overrun issues.
Credit:
The information has been provided by Mark Litchfield.
This advisory details three remotely exploitable overruns, two being heap based overflows and the other being a stack based overflow. On exploitation of these overruns any supplied code would execute in the security context of the logged on user.
1) By following a link to a SMIL file (Synchronized Multimedia Integration Language), RealPlayer will automatically download the file in an attempt to play its content. By supplying an overly long parameter within the SMIL file a heap overflow would occur in RealPlay.exe. According to Real, they have fixed the issue by fixing the player status code to handle the cases where there are large number of characters in the metadata of a SMIL file.
2) By supplying an overly long rtsp:// filename parameter, for example within a .m3u file, when a link was followed, Real again would download the file. When play is selected a heap overflow occurs in RealPlay.exe This has apparently been fixed by Real by improving the robustness of URL handling in this portion of the product.
3) Again, referring to number two if the 'victim' were to download the file with a large filename (whether it was on local/rtsp or an HTTP URL) Real Player would access violate when performing the following: If the user were to right click in Now Playing and select "Edit Clip info" or right click in "Now Playing" and "Select copy to my Library". In this particular instance a stack overflow would occur in RealPlayer.
Fix Information:
NGSSoftware alerted Real to these problems on the 1st November 2002. NGSSoftware highly recommend installing the patch found at http://service.real.com/help/faq/security/bufferoverrun_player.html. Alternatively if you Open RealPlayer - Help - About Real Player, you will notice a Check For Updates feature. Select this.
In Real's own advisory they omit the fact that RealOne Enterprise Desktop is also vulnerable, but only to issues 2 & 3.
