Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

winreal.6-7.txt

🗓️ 06 Apr 2000 00:00:00Reported by Adam MuntnerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Buffer overflow vulnerability in Win32 RealPlayer 6/7 allows code execution via embedded tags.

Code
`Win32 Realplayer 6/7 Buffer Overflow  
  
Vulnerability Summary:  
----------------------  
There is a buffer overflow in the Win32 RealPlayer Basic client,  
versions 6 and 7. This appears to occur when >299 characters  
are entered as a 'location' to play, such as http://aaaaa.....  
with 300 a's. I have tested the MacOS and Linux Realplayer  
clients and have as yet not found such a vulnerability.  
  
Using the HTML "EMBED" tag to embed RealPlayer in a webpage  
and setting the "AUTOSTART=true" flag, you can force RealPlayer  
to start automatically, triggering the overflow condition.  
While I have not taken the time to find the proper entrance  
point in PNEN3260.DLL (which is what crashes, for example,  
in RealPlay 6 Basic), it appears that arbitrary code could  
be exploited simply by *VISITING* a webpage with the  
malicious embedded RealPlayer tags.  
  
(the following example is using RealPlayer v.6 Basic)  
  
In full effect, yo:  
-------------------  
For example: RealPlayer Win32 Version 6.0.7.380  
Type into "Location" http://aaaaaaaaaaa..... (300 a's)  
  
"This program has performed an illegal operation and will be shut  
down."  
REALPLAY caused an invalid page fault in  
module PNEN3260.DLL at 015f:6216d7ca.  
Registers:  
EAX=61616161 CS=015f EIP=6216d7ca EFLGS=00010202  
EBX=007c0158 SS=0167 ESP=00c6fe70 EBP=00c6fe88  
ECX=007c0350 DS=0167 ESI=007c0350 FS=629f  
EDX=00000001 ES=0167 EDI=007c0350 GS=0000  
Bytes at CS:EIP:  
ff 10 33 d2 f7 77 08 8b 47 04 8b 34 90 85 f6 8d  
Stack dump:  
007c0100 61616161 007c0350 007c0158 007c04d0 78009494 00c6fe9c  
6216d853 007c0100 007c0100 007c0100 00c6feac 6218407b 007c0100  
007c0100 00c6fed4  
  
Fun. It looks like RealPlayer can be made to execute arbitrary  
code. It gets worse, using the HTML EMBED tag for RealPlayer you  
can force a web browser (MSIE in this case) to crash as well.  
This is left as an exercise for the reader....  
  
Once you embed the RealPlayer in an html page, when Real crashes,  
it takes Internet Explorer with it...  
  
"This program has performed an illegal operation and will be shut  
down"  
IEXPLORE caused an invalid page fault in  
module KERNEL32.DLL at 015f:bff7a379.  
Registers:  
EAX=61616161 CS=015f EIP=bff7a379 EFLGS=00010216  
EBX=084e5054 SS=0167 ESP=0058d840 EBP=0058d864  
ECX=61616161 DS=0167 ESI=000003b4 FS=5ac7  
EDX=084d0000 ES=0167 EDI=01615dac GS=0000  
Bytes at CS:EIP:  
89 41 08 8b 53 04 8b 43 08 89 50 04 8d 04 33 50  
Stack dump:  
01615dac 00000000 084d000c 084d0000 084e5054  
00000000 00000000 00009afb 000084e6 0058d88c  
bff7a541 084d0000 084e5054 000003b4 00000000  
00000001  
  
  
and the extra bonus of:  
"This program has performed an illegal operation and will be shut  
down"  
IEXPLORE caused an invalid page fault in  
module PNEN3260.DLL at 015f:621874ba.  
Registers:  
EAX=8004004e CS=015f EIP=621874ba EFLGS=00010202  
EBX=000000c8 SS=0167 ESP=067dfecc EBP=067dfed4  
ECX=08616860 DS=0167 ESI=086163e0 FS=3937  
EDX=61616161 ES=0167 EDI=8004004e GS=0000  
Bytes at CS:EIP:  
ff 52 08 8b c7 5f 5e 5d c2 10 00 90 90 90 90 90  
Stack dump:  
08616b90 085e69f0 067dfeec 6218893b 085034ec  
00400050 00400000 00400000 067dff04 621838b4  
08616b90 04606568 0000023c 086163e0 067dff38  
62183a47  
  
load the malicious page enough times and you get a fun dialog box  
that just won't go away... unless you reboot.  
  
"This program has performed an illegal operation and will be shut  
down"  
IEXPLORE caused an invalid page fault in  
module KERNEL32.DLL at 015f:bff87eb5.  
Registers:  
EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010206  
EBX=0288fb1c SS=0167 ESP=0284fff0 EBP=0285005c  
ECX=00000000 DS=0167 ESI=83b934e0 FS=2c0f  
EDX=83b934e8 ES=0167 EDI=00c1e79c GS=0000  
Bytes at CS:EIP:  
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75  
Stack dump:  
  
etc etc etc.  
  
Resolution:  
-----------  
Vendor Notified 3 April 2000, 10:00 AM MST via email.  
Vendor patch should be forthcoming...  
  
----------------------------------------------------  
- Adam Muntner \ Save the Whales! -  
- [email protected] \ Collect Valuable -  
- Systems Engineer \ Prizes! -  
- http://www.alienzoo.com \ -  
----------------------------------------------------  
  
-----------------------------------------------------  
Get free email and alien enlightenment from  
http://www.alienzoo.com  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Apr 2000 00:00Current
buffer overflow win32 realplayer code execution embedded tags malicious webpage html embed tag automatic start invalid page fault location overflow
26