Date: 15 December 2010
References: ESB-2010.1149
Related Files:
ESB-2010.1124
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.1124.2
A number of vulnerabilities have been identified in RealPlayer
15 December 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: RealPlayer
Publisher: Zero Day Initiative
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4397 CVE-2010-4396 CVE-2010-4395
CVE-2010-4394 CVE-2010-4392 CVE-2010-4391
CVE-2010-4390 CVE-2010-4389 CVE-2010-4388
CVE-2010-4387 CVE-2010-4386 CVE-2010-4385
CVE-2010-4384 CVE-2010-4383 CVE-2010-4382
CVE-2010-4381 CVE-2010-4380 CVE-2010-4379
CVE-2010-4378 CVE-2010-4377 CVE-2010-4376
CVE-2010-4375 CVE-2010-2999 CVE-2010-2997
CVE-2010-2579 CVE-2010-0125 CVE-2010-0121
Original Bulletin:
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
Comment: This bulletin contains ten (10) Zero Day Initiative security
advisories.
Revision History: December 15 2010: Added CVE references
December 13 2010: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
RealNetworks RealPlayer AAC MLLT Atom Parsing Remote Code Execution Vulnerability
ZDI-10-273: December 10th, 2010
CVE ID
CVE-2010-2999
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 8415. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows attackers to execute arbitrary code on vulnerable
installations of RealNetworks RealPlayer. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.
The specific flaw exists when parsing an .AAC file containing a malformed MLLT
atom. The application utilizes a size specified in this data structure for
allocation of a list of objects. To calculate the size for the allocation, the
application will multiply this length by 8. If the multiplication results in a
value greater than 32 bits an integer overflow will occur. When copying data
into this buffer heap corruption will occur which can lead to code execution
under the context of the currently logged in user.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2009-08-20 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Anonymous
- -------------------------------------------------------------------------------
RealNetworks Realplayer RV20 Stream Parsing Remote Code Execution Vulnerability
ZDI-10-274: December 10th, 2010
CVE ID
CVE-2010-4378
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.
The specific flaw exists within the module responsible for decompressing RV20
video streams. The drv2.dll trusts a value from the file as a length and uses
it within a copy loop that writes to heap memory. By specifying large enough
values, heap memory can be corrupted which can lead to arbitrary code execution
under the context of the user accessing the media file.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-01-06 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Anonymous
- -------------------------------------------------------------------------------
RealNetworks RealPlayer Cross-Zone Scripting Remote Code Execution
Vulnerability
ZDI-10-275: December 10th, 2010
CVE ID
CVE-2010-4396
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10589. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
requires in that a target must navigate to a malicious page.
The specific flaw exists within the HandleAction method of the RealPlayer
ActiveX control with CLSID FDC7A535-4070-4B92-A0EA-D9994BCC0DC5. The vulnerable
action that can be invoked via this control is NavigateToURL. If NavigateToURL
can be pointed to a controlled file on the user's system, RealPlayer can be
made to execute scripts in the Local Zone. To accomplish this, a malicious
attacker can force a download of a skin file to a predictable location and then
point NavigateToURL at it thus achieving remote code execution under the
context of the user running RealPlayer.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-05-12 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Anonymous
- -------------------------------------------------------------------------------
RealNetworks RealPlayer Upsell.htm getqsval Remote Code Execution Vulnerability
ZDI-10-276: December 10th, 2010
CVE ID
CVE-2010-4388
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10589. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the Upsell.htm component of the RealPlayer
default installation. Due to a failure to properly sanitize user-supplied
input, it is possible for an attacker to inject arbitrary code into the
RealOneActiveXObject process via the getqsval function. This can be abused to
bypass the Local Machine Zone security policy and load unsafe controls.
Successful exploitation of this issue leads to remote code execution under the
context of the RealPlayer application.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-06-30 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Anonymous
- -------------------------------------------------------------------------------
RealNetworks RealPlayer Main.html Remote Code Execution Vulnerability
ZDI-10-277: December 10th, 2010
CVE ID
CVE-2010-4388
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10589. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the Main.html component of the RealPlayer
default installation. Due to a failure to properly sanitize user-supplied input,
it is possible for an attacker to inject arbitrary code into the
RealOneActiveXObject process. This can be abused to bypass the Local Machine
Zone security policy and load unsafe controls. Successful exploitation of this
issue leads to remote code execution under the context of the RealPlayer
application.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-07-20 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Anonymous
- -------------------------------------------------------------------------------
RealNetworks RealPlayer Custsupport.html Remote Code Execution Vulnerability
ZDI-10-278: December 10th, 2010
CVE ID
CVE-2010-4388
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10589. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the Custsupport.html component of the
RealPlayer default installation. Due to a failure to properly sanitize user-
supplied input, it is possible for an attacker to inject arbitrary code into
the RealOneActiveXObject process. This can be abused to bypass the Local
Machine Zone security policy and load unsafe controls. Successful exploitation
of this issue leads to remote code execution under the context of the
RealPlayer application.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-07-20 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Anonymous
- -------------------------------------------------------------------------------
RealNetworks RealPlayer Cook Codec Initialization Remote Code Execution
Vulnerability
ZDI-10-279: December 10th, 2010
CVE ID
CVE-2010-4389
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10606. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within how the application parses cook-specific data
used for initialization. The application will use a length in a copy without
verifying it being larger than the destination buffer. Successful exploitation
can lead to code execution under the context of the application.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-08-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Damian Put
- -------------------------------------------------------------------------------
RealNetworks RealPlayer ImageMap Remote Code Execution Vulnerability
ZDI-10-280: December 10th, 2010
CVE ID
CVE-2010-4392
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10290. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within how the application decodes data for a
particular mime type within a RealMedia file. When decoding the data used for
rendering, the application will use the length of a string in an addition used
to calculate the size of a buffer. The application will zero-extend it and then
allocate. Due to the addition, the result of the calculation can be greater
than 16-bits, and when the typecast occurs the result will be smaller than
expected. When initializing this buffer, a buffer overflow will occur which can
allow for code execution under the context of the application.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-08-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Sebastian Apelt & Andreas Schmidt (www.siberas.de)
- -------------------------------------------------------------------------------
RealNetworks RealPlayer RMX Header Remote Code Execution Vulnerability
ZDI-10-281: December 10th, 2010
CVE ID
CVE-2010-4391
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10723. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the applications support for parsing the RMX
file format. When parsing the format, the application will explicitly trust
32-bits in a field used in the header for the allocation of an array. This can
cause a buffer to be under-allocated and will cause a buffer overflow when
initializing the array. This can lead to code execution under the context of the
application.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details
can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-08-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
Sebastian Apelt (www.siberas.de)
- -------------------------------------------------------------------------------
RealNetworks RealPlayer RealPix Server Header Parsing Remote Code Execution
Vulnerability
ZDI-10-282: December 10th, 2010
CVE ID
CVE-2010-4394
CVSS Score
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
Affected Vendors
RealNetworks
Affected Products
RealPlayer
TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10717. For further product information on the
TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of RealNetworks RealPlayer. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within RealPlayer's parsing of RealPix files. If such
a file contains an image tag pointing to a remote server, the player will
attempt to fetch the remote file. When parsing the response from the web
server, the process blindly copies the contents of the Server header into a
fixed length heap buffer. If an attacker provides a large enough string,
critical pointers can be overwritten allowing for arbitrary code execution
under the context of the user running the player.
Vendor Response
RealNetworks has issued an update to correct this vulnerability. More details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
Disclosure Timeline
2010-09-24 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
Credit
This vulnerability was discovered by:
AbdulAziz Hariri
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNCCIH/iFOrG6YcBERAiqfAJ9aouAh/v9bsws5yc+dGbdplMWqfQCcDnCQ
OYjjaCHth0GBJ/sO4I5qW4w=
=/242
-----END PGP SIGNATURE-----
|