Bugtraqmailing list archives
RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)
From: "NGSSoftware Insight Security Research" <nisr () nextgenss com>
Date: Wed, 19 Jan 2005 17:01:56 -0000
NGSSoftware Insight Security Research AdvisoryName: RealPlayer Miscellaneous VulnerabilitiesSystems Affected: RealPlayer 10.5 (6.0.12.1040) and olderSeverity: Low/MediumVendor URL:http://www.real.com/Author: John Heasman [ john () ngssoftware com ]Date of Public Advisory: 19th January 2004Advisory number: #NISR19012005gAdvisory URL:http://www.ngssoftware.com/advisories/real-03full.txtReference:http://www.ngssoftware.com/advisories/real-01.txtDescription***********Two vulnerabilities have been discovered in RealPlayer which maypotentially be leveraged to allow remote code execution, or may used incombination with the Real Metadata Package File Deletion vulnerability toreliably delete files from a users system.The first of which is an off-by-one vulnerability in the processing oftags in the Real Metadata Package files. If an overly long tag issupplied, the null byte terminating the string is written over the highestorder byte of the saved base pointer. This will cause the instructionpointer to be read from this buffer upon the function returning.Investigation of this issue showed that the buffer from which theinstruction pointer was being read did not appear to be under user controlat any given time in the tested scenarios, however due to the nature ofthe vulnerability it is important that this is not regarded as animpossibility.The second flaw is the way in which RealPlayer Skin file names are parsedwhen the files are opened by RealPlayer. If url encoded traversalsequences are included in the RJS filename, although RealPlayer will savethe RJS file in the 'skins' folder without decoding the filename, when itattempts to open the file it will decode the filename, and as such can bemade to read an arbitrary file from the disk.It does not seem possible to write arbitrary content to the system throughthe use of this flaw, it may be possible to use this to determine theexistence of files on the local system, and as such could be combined withthe Real Metadata Package File Deletion flaw to reliably delete files froma users system.Details*******RealPlayer supports a proprietary package delivery file type, aptly namedReal Metadata Packages. These files contain an HTML style language whichcontains information and resource urls for various packages and extensionsto RealPlayer.One of the supported tags within the RMP file type is the <FILENAME> tag.This is designed to point to a relative file which is to be downloaded.If the file which is to be downloaded already exists on the system, itwill delete this file without warning.It is also possible to insert directory traversal character sequences inthe file name to break out of the download directory, and to point to anyexisting file on the system.Before the the deletion takes place, RealPlayer ensures that the fileextension is among those listed in the formats.ini file located at:C:\Program Files\Real\RealPlayer\DataCache\Formats\formats.iniIt is possible to bypass this file extension check in the follow mannerdue to a lack in the file extension validation process:<FILENAME>../../../../../windows/system32/notepad.exe?.mp3</FILENAME>Fix Information***************RealNetworks have released an update for these issues which can bedownloaded from:http://service.real.com/help/faq/security/040928_player/EN/A check for this vulnerability has been added to Typhon III, NGSSoftware'sadvanced vulnerability assessment scanner. For more information pleasevisit the NGSSoftware website athttp://www.ngssoftware.com/About NGSSoftware*****************NGSSoftware design, research and develop intelligent, advanced applicationsecurity assessment scanners. Based in the United Kingdom, NGSSoftwarehave offices in the South of London and the East Coast of Scotland.NGSSoftware's sister company NGSConsulting, offers best of breed securityconsulting services, specialising in application, host and networksecurity assessments.http://www.ngssoftware.com/Telephone +44 208 401 0070Fax +44 208 401 0076enquiries () ngssoftware com
Current thread:
- RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)NGSSoftware Insight Security Research (Jan 19)