[Full-Disclosure] RealOne Player local privilege escalation

2003-09-09T00:00:00
ID SECURITYVULNS:DOC:5068
Type securityvulns
Reporter Securityvulns
Modified 2003-09-09T00:00:00

Description

Greetings,

RealOne Player for the UNIX platform, sometimes referred to as the "community supported" realplayer version 9, installs per-user configuration files with group write permissions by default. On most UNIX variants, this is a serious issue as most users belong to the same group and oftentimes home directories are created with the group read and execute bits set, thereby allowing malicious local users to modify the RealOne configuration files of other users.

This issue was reported to the Real.com developers June 18, 2003 by an anonymous user and there is still no fix available despite the fact that this is a serious issue and the fix is trivial. However, developers are now aware of the problem and are going to be releasing a fix. In the meantime, `chmod 700 ~/.realnetworks/*` and see this thread:

http://realforum.real.com/cgi-bin/unixplayer/showthreaded.pl?Cat=&Board=install2&Number=4513

The following link goes into a bit more depth surrounding the problem, and includes some proof of concept exploit code, should you find it necessary:

http://spoofed.org/files/rp9-priv-esc.c

Please note that because RealOne player is only currently available for x86 Linux variants, only x86 Linux systems with RealOne player installed are impacted by this bug.

Cheers,

-jon


Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html