[Full-disclosure] Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities

2006-04-11T00:00:00
ID SECURITYVULNS:DOC:12161
Type securityvulns
Reporter Securityvulns
Modified 2006-04-11T00:00:00

Description

Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities

By Sowhat of Nevis Labs Date: 2006.03.22

http://www.nevisnetworks.com http://secway.org/advisory/AD20060322.txt

CVE: CVE-2006-0323 US CERT: VU#231028

Vendor RealNetworks Inc.

Products affected:

Windows RealPlayer 8 RealOne Player & RealOne Player V2 RealPlayer 10 RealPlayer 10.5

Macintosh RealOne Player RealPlayer 10

Linux RealPlayer 10

Overview:

RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. For more information, visit http://www.real.com/.

Details:

There are multiple vulnerabilities found in swfformat.dll. A carefully crafted .swf file may execute arbitrary code or crash the RealPlayer.

By persuading a user to access a specially crafted SWF file with RealPlayer, a remote attacker may be able to execute arbitrary code. And also, these vulnerabilities can be triggered remotely through ActiveX in IE.

By setting the size of SWF files to a value smaller than the actual size, you can trigger one of the vulnerabilities.

Actually, there are multiple holes that have been fixed in swfformat.dll.

POC:

No PoC will be released for this.

FIX:

http://service.real.com/realplayer/security/03162006_player/en/

Vendor Response:

2005.10.07 Vendor notified via email 2005.10.07 Vendor responded 2005.03.22 Patch released 2006.04.11 Advisory released

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

    CVE-2006-0323

Greetings to Paul Gese@real.com, Chi, OYXin, Narasimha Datta and all Nevis Labs guys.

References:

  1. http://service.real.com/realplayer/security/03162006_player/en/
  2. http://www.kb.cert.org/vuls/id/231028
  3. http://www.macromedia.com/licensing/developer/fileformat/faq/
  4. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323
  5. http://www.gentoo.org/security/en/glsa/glsa-200603-24.xml
  6. http://www.novell.com/linux/security/advisories/2006_18_realplayer.html
  7. http://secunia.com/advisories/19358/

-- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/