Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities
By Sowhat of Nevis Labs Date: 2006.03.22
CVE: CVE-2006-0323 US CERT: VU#231028
Vendor RealNetworks Inc.
Windows RealPlayer 8 RealOne Player & RealOne Player V2 RealPlayer 10 RealPlayer 10.5
Macintosh RealOne Player RealPlayer 10
Linux RealPlayer 10
RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. For more information, visit http://www.real.com/.
There are multiple vulnerabilities found in swfformat.dll. A carefully crafted .swf file may execute arbitrary code or crash the RealPlayer.
By persuading a user to access a specially crafted SWF file with RealPlayer, a remote attacker may be able to execute arbitrary code. And also, these vulnerabilities can be triggered remotely through ActiveX in IE.
By setting the size of SWF files to a value smaller than the actual size, you can trigger one of the vulnerabilities.
Actually, there are multiple holes that have been fixed in swfformat.dll.
No PoC will be released for this.
2005.10.07 Vendor notified via email 2005.10.07 Vendor responded 2005.03.22 Patch released 2006.04.11 Advisory released
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Greetings to Paul Gese@real.com, Chi, OYXin, Narasimha Datta and all Nevis Labs guys.
-- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/