VARIoT IoT vulnerabilities database

VAR-201012-0254 | CVE-2010-4377 | RealNetworks RealPlayer of Cook Audio Codec Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code by specifying many subbands in cook audio codec information in a Real Audio file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file.The specific flaw exists in the parsing of audio codec information encapsulated in a Real Audio media file. By specifying a large number of subbands an allocated heap chunk can be overflown. Successful exploitation can result in system compromise under the credentials of the currently logged in user.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.1.5 and prior, Mac RealPlayer 12.0.0.1444 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-272: RealNetworks RealPlayer Cook Audio Codec Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-272
December 10, 2010
-- CVE ID:
CVE-2010-4377
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8454.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
VAR-201012-0253 | CVE-2010-4376 | RealNetworks RealPlayer of RTSP GIF Heap-based buffer overflow vulnerability in the parsing process |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a large Screen Width value in the Screen Descriptor header of a GIF87a file in an RTSP stream. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file.The specific flaw exists in the parsing of GIF87a files over the streaming protocol RTSP. When specifying a large Screen Width size in the Screen Descriptor header a calculation on the destination heap chunks size is improperly checked for overflow. This leads to a smaller buffer being allocated and subsequently a heap overflow when processing the received data. Exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.1.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-271: RealNetworks RealPlayer RTSP GIF Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-271
December 10, 2010
-- CVE ID:
CVE-2010-4376
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8308.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
VAR-201012-0252 | CVE-2010-4375 | RealNetworks RealPlayer Multi-rate audio heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code via malformed multi-rate data in an audio stream. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists when parsing a RealMedia file containing a malformed multi-rate audio stream. The application explicitly trusts two 16-bit values in this data structure which are then used to calculate the size used for an allocation.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer 11.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-266: RealNetworks RealPlayer Multi-Rate Audio Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-266
December 10, 2010
-- CVE ID:
CVE-2010-4375
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8441.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-04-15 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
VAR-201012-0248 | CVE-2010-4387 | RealNetworks RealPlayer of RealAudio Vulnerability in arbitrary code execution in codec |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The RealAudio codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted audio stream in a RealMedia file. Real Networks RealPlayer is prone to a memory-corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.1.4 and prior, Mac RealPlayer 12.0.0.1379 and prior, and Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
RealPlayer is RealNetworks's media player product used to render video
and other media. For more information, visit http://www.real.com/.
II.
The vulnerability specifically exists in the way RealPlayer handles
specially crafted RealMedia files using RealAudio codec.
III. To exploit this
vulnerability, an attacker must persuade a victim into using RealPlayer
to open a specially crafted media file. This could be accomplished by
either direct link or referenced from a website under the attacker's
control. An attacker could host a Web page containing a malformed file. Alternatively a
malicious media file could be attached within an e-mail file.
IV.
V. WORKAROUND
iDefense is currently unaware of any workaround for this issue.
VI. VENDOR RESPONSE
RealNetworks has released a patch which addresses this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.
http://service.real.com/realplayer/security/12102010_player/en/
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-4387 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
05/12/2010 Initial Contact
05/12/2010 Initial Response
12/10/2010 Coordinated public disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information
VAR-201012-0245 | CVE-2010-4384 | RealNetworks RealPlayer of RealMedia Media code header arbitrary code execution vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Array index error in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code via a malformed Media Properties Header (aka MDPR) in a RealMedia file. The application explicitly trusts an index in this data structure which is used to seek into an array of objects. If an attacker can allocate controlled data at some point after this array, an attacker can then get their fabricated object to get called leading to code execution under the context of the current user. Real Networks RealPlayer is prone to a memory-corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer 11.1 and prior, RealPlayer Enterprise 2.1.2 and prior, Mac RealPlayer 11.0.1.949 and prior, and Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-268: RealNetworks RealPlayer Media Properties Header Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-268
December 10, 2010
-- CVE ID:
CVE-2010-4384
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6853.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-02-24 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
* Hossein Lotfi
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
VAR-201012-0244 | CVE-2010-4383 | RealNetworks RealPlayer In RA5 Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 12.0.0.1444, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted RA5 file. RealNetworks RealPlayer Is RA5 A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0242 | CVE-2010-4381 | RealNetworks RealPlayer In AAC Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 allows remote attackers to have an unspecified impact via a crafted AAC file. RealNetworks RealPlayer Is AAC A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0240 | CVE-2010-4379 | RealNetworks RealPlayer In SIPR Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted SIPR file. RealNetworks RealPlayer Is SIPR A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. Remote attackers can use specially crafted SIPR files to cause unspecified effects. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0224 | CVE-2010-4397 | RealNetworks RealPlayer of pnen3260.dll Module integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in the pnen3260.dll module in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a crafted TIT2 atom in an AAC file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in RealPlayer's pnen3260.dll module while parsing the TIT2 atom within AAC files. The code within this module does not account for a negative size during an allocation and later uses the value as unsigned within a copy loop. Real Networks RealPlayer is prone to an integer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ZDI-10-269: RealNetworks RealPlayer AAC TIT2 Atom Integer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-269
December 10, 2010
-- CVE ID:
CVE-2010-4397
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8279.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0204 | CVE-2010-2579 | RealNetworks RealPlayer of cook Codec arbitrary memory access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 does not properly initialize the number of channels, which allows attackers to obtain unspecified "memory access" via unknown vectors. Real Networks RealPlayer is prone to a memory-access vulnerability. Successful exploits may allow attackers to gain access to sensitive information, cause a denial-of-service condition or memory corruption. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to potentially compromise a
user's system.
======================================================================
6) Time Table
26/02/2010 - Vendor notified.
01/03/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-2579 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-14/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
VAR-201012-0015 | CVE-2010-0125 | RealNetworks RealPlayer of AAC Vulnerability in spectral data analysis processing |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to compromise a user's system.
======================================================================
6) Time Table
01/03/2010 - Vendor notified.
01/03/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0125 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-15/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
VAR-201012-0017 | CVE-2010-0121 | RealNetworks RealPlayer of cook Vulnerability in codec |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to potentially compromise a
user's system.
======================================================================
6) Time Table
24/02/2010 - Vendor notified.
25/02/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0121 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-9/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
VAR-201012-0368 | No CVE | D-Link DIR Router \"bsc_lan.php\" Secure Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
D-Link DIR is a wireless router for the SOHO series. The D-Link DIR implementation has an error that allows remote attackers to bypass security restrictions and modify device configuration. The device does not correctly restrict access to the \"bsc_lan.php\" script. Requests with \"NO_NEED_AUTH\" parameter \"1\" and \"AUTH_GROUP\" parameter \"0\" can directly access the management interface. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
D-Link DIR Routers "bsc_lan.php" Security Issue
SECUNIA ADVISORY ID:
SA42425
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42425/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42425
RELEASE DATE:
2010-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/42425/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42425/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42425
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Craig Heffner has reported a security issue in multiple D-Link DIR
routers, which can be exploited by malicious people to bypass certain
security restrictions and compromise a vulnerable device.
This may be related to vulnerability #5:
SA33692
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Craig Heffner
ORIGINAL ADVISORY:
http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201209-0075 | CVE-2010-5269 | Intel Threading Building Blocks of tbb.dll Vulnerability gained in |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Untrusted search path vulnerability in tbb.dll in Intel Threading Building Blocks (TBB) 2.2.013 allows local users to gain privileges via a Trojan horse tbbmalloc.dll file in the current working directory, as demonstrated by a directory that contains a .pbk file. NOTE: some of these details are obtained from third party information. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. tbbmalloc.dll It may be possible to get permission through the file. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Intel Threading Building Blocks (TBB) Insecure Library Loading
Vulnerability
SECUNIA ADVISORY ID:
SA42506
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42506/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42506
RELEASE DATE:
2010-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/42506/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42506/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42506
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been discovered in Intel Threading Building
Blocks (TBB), which can be exploited by malicious people to
compromise a user's system.
The vulnerability is caused due to the "tbb.dll" loading libraries
(e.g. tbbmalloc.dll) in an insecure manner. This can be exploited to
load arbitrary libraries when an application using this library e.g.
opens a file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 2.2.013. Other versions may
also be affected.
SOLUTION:
Upgrade to version 3.0.4.127.
PROVIDED AND/OR DISCOVERED BY:
Originally reported in a CORE IMPACT exploit module for Adobe Pixel
Bender Toolkit by Core Security Technologies.
Additional information provided by Secunia Research.
ORIGINAL ADVISORY:
http://www.coresecurity.com/content/adobe-pixel-bender-toolkit-tbbmalloc-dll-hijacking-exploit-10-5
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0350 | CVE-2010-3920 | Vulnerability in Epson printer driver installer where access permissions are changed |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The Seiko Epson printer driver installers for LP-S9000 before 4.1.11 and LP-S7100 before 4.1.7, or as downloaded from the vendor between May 2010 and 20101125, set weak permissions for the "C:\Program Files" folder, which might allow local users to bypass intended access restrictions and create or modify arbitrary files and directories. As a result, users that do not have permission to access that folder can gain access to that folder. According to the developer, printer drivers that were included with the product or downloaded from the developer website from the initial release of May 2010 through November 25, 2010 are affected by this vulnerability. Also, users of Windows Vista and later operating systems are not affected. The Epson LP-S7100 / LP-S9000 is a family of high performance printers. There is a problem with the Epson LP-S7100 / LP-S9000 driver installation, allowing local users to increase privileges. Because the default permissions for \"C:\\Program Files\" and its subdirectories are not set correctly (\"Everyone\" group is fully controlled), local users can exploit the vulnerability to overwrite any file in these folders, resulting in elevation of privilege.
Local attackers can exploit this issue to gain elevated privileges on affected devices.
The following driver versions are vulnerable:
LP-S7100 4.1.0fi through 4.1.7fi and 4.1.0hi through 4.1.7hi
LP-S9000 4.1.0fc through 4.1.11fc and 4.1.0hc through 4.1.11hc. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Epson LP-S7100 / LP-S9000 Drivers Insecure Default Permissions
SECUNIA ADVISORY ID:
SA42540
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42540/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42540
RELEASE DATE:
2010-12-08
DISCUSS ADVISORY:
http://secunia.com/advisories/42540/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42540/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42540
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A security issue has been reported in Epson LP-S7100 / LP-S9000
drivers, which can be exploited by malicious, local users to gain
escalated privileges.
The security issue is reported in the following versions:
* LP-S7100 32bit edition versions 4.1.0fi through 4.1.7fi
* LP-S7100 64bit edition versions 4.1.0hi through 4.1.7hi
* LP-S9000 32bit edition versions 4.1.0fc through 4.1.11fc
* LP-S9000 64bit edition versions 4.1.0hc through 4.1.11hc
SOLUTION:
Update to a patched version and reset permissions. Please see the
vendor's advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.epson.jp/support/misc/lps7100_9000/index.htm
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0106 | CVE-2010-4557 | Invensys Wonderware InBatch lm_tcp Service Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in the lm_tcp service in Invensys Wonderware InBatch 8.1 and 9.0, as used in Invensys Foxboro I/A Series Batch 8.1 and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted request to port 9001. Invensys Wonderware InBatch and Foxboro I/A Series Batch of lm_tcp The service can experience buffer overflow. Wonderware InBatch and Foxboro I/A Batch of database lock manager (lm_tcp) The service includes 150 When copying a string to a byte buffer, a buffer overflow can occur. This service is 9001/tcp using.lm_tcp Service disruption by a third party with access to the service (DoS) An attacker may be able to attack or execute arbitrary code. RDM Embedded is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The issue affects the 'lm_tcp' service. Failed exploit attempts may crash the application, denying service to legitimate users.
The issue affects lm_tcp <= 9.0.0 0248.18.0.0; other versions may also be affected. Wonderware InBatch is prone to a denial-of-service vulnerability. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Wonderware InBatch / Foxboro I/A Series "lm_tcp" Buffer Overflow
Vulnerability
SECUNIA ADVISORY ID:
SA42528
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42528/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42528
RELEASE DATE:
2010-12-24
DISCUSS ADVISORY:
http://secunia.com/advisories/42528/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42528/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42528
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Wonderware InBatch and Foxboro
I/A Series Batch, which can be exploited by malicious people to cause
a DoS (Denial of Service) and potentially compromise a vulnerable
system. write 16bits with the value 0 (0x0000) to an arbitrary
memory location by sending a specially crafted packet to port 9001.
SOLUTION:
Apply patches when available. See vendor's advisory for possible
mitigation steps.
PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma
ORIGINAL ADVISORY:
Luigi Auriemma:
http://aluigi.altervista.org/adv/inbatch_1-adv.txt
Invensys:
http://iom.invensys.com/EN/Pages/IOM_CyberSecurityUpdates.aspx
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201012-0213 | CVE-2010-3801 | Apple QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted FlashPix file. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website.The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field's value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-259
December 7, 2010
-- CVE ID:
CVE-2010-3801
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10654.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-06-01 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Damian Put
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Apple Quicktime Memory Corruption when parsing FPX files
CVE-2010-3801
INTRODUCTION
Apple Quicktime is a "powerful media technology that works on Mac and PC with just about
every popular video or audio format you come across. So you can play the digital media
you want to play".
QuickTime player does not properly parse .fpx media files, which causes a memory corruption by
opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49.
This problem was confirmed in the following versions of Apple Quicktime and browsers, other
versions may be also affected.
QuickTime Player version 7.6.8 (1675) in all Operating Systems
QuickTime Player version 7.6.6 (1671) in all Operating Systems
CVSS Scoring System
The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C
TRIGGERING THE PROBLEM
The problem is triggered by PoC repro.fpx which causes invalid memory access in all the
refered versions and is available to interested parties only.
DETAILS
Disassembly:
668E2387 F7C7 03000000 TEST EDI,3
668E238D 75 15 JNZ SHORT QuickT_1.668E23A4
668E238F C1E9 02 SHR ECX,2
668E2392 83E2 03 AND EDX,3
668E2395 83F9 08 CMP ECX,8
668E2398 72 2A JB SHORT QuickT_1.668E23C4
668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here
EDI = 0x089A0020
ESI = 0x61626364
(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
VAR-201012-0212 | CVE-2010-3800 | Apple QuickTime Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted PICT file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the application's implementation of a custom compression algorithm. The application will trust a field within a DirectBitsRect structure which is used for an allocation, and later attempt to decompress data into this buffer. Due to the value for the allocation being different from the length of the data being decompressed a buffer overflow will occur which can lead to code execution with the privileges of the application. This can lead to code execution under the context of the application.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. The software is capable of handling multiple sources such as digital video, media segments, and more. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-11-05 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Moritz Jodeit of n.runs AG
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. iDefense Security Advisory 12.07.10
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 07, 2010
I. BACKGROUND
QuickTime is Apple's media player product used to render video and other
media. The PICT file format was developed by Apple Inc. in 1984. PICT
files can contain both object-oriented images and bitmaps. For more
information visit http://www.apple.com/quicktime/
II.
The vulnerability specifically exists in the way specially crafted PICT
image files are handled by the QuickTime PictureViewer.
When processing specially crafted PICT image files, Quicktime
PictureViewer uses a set value from the file to control the length of a
byte swap operation. The byte swap operation is used to convert big
endian data to little endian data. QuickTime fails to validate the
length value properly before using it.
III. To exploit this vulnerability, an
attacker must persuade a victim into using QuickTime to open a
specially crafted PICT picture file. This could be accomplished by
either direct link or referenced from a website under the attacker's
control. An attacker could host a Web page containing a malformed PICT
file. Upon visiting the malicious Web page exploitation would occur and
execution of arbitrary code would be possible. Alternatively a PICT file
could be attached within an e-mail file.
IV.
V. WORKAROUND
iDefense recommends disabling the QuickTime Plugin and altering the
.pct, .pic and .pict filetype associations within the registry.
Disabling the plugin will prevent Web browsers from utilizing QuickTime
Player to view associated media files. Removing the filetype
associations within the registry will prevent QuickTime Player and
Picture Viewer from opening .pct, .pic and .pict files.
VI. VENDOR RESPONSE
Apple Inc. has released patches which addresses this issue. For more
information, consult their advisory at the following URL:
http://support.apple.com/kb/HT4447
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-3800 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
03/31/2010 Initial Vendor Notification
03/31/2010 Initial Vendor Reply
12/07/2010 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Hossein Lotfi (s0lute).
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information
VAR-201012-0209 | CVE-2010-3802 | Apple QuickTime Integer sign error vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer signedness error in Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted panorama atom in a QuickTime Virtual Reality (QTVR) movie file. User interaction is required to exploit this vulnerability in that a user must be coerced into visiting a malicious page or opening a malicious file.The specific flaw exists within Apple's support for Panoramic Images and occurs due to the application trusting a particular field for calculation of an offset. Due to the field being treated as a signed integer, the calculated offset can result in a pointer outside the bounds of the expected buffer. Upon usage of this out-of-bounds pointer, the application will write proceed to write image data to the invalid location. Successful exploitation can lead to code execution under the context of the application.
Successful exploits allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-03-22 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
VAR-201012-0195 | CVE-2010-1508 | Windows Run on Apple QuickTime Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6.9 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Track Header (aka tkhd) atoms. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Quicktime.qts module responsible for parsing media files. While handling 3GP streams a function within this module a loop trusts a value directly from the media file and uses it during memory copy operations. By supplying a large enough value this buffer can be overflowed leading to arbitrary code execution under the context of the user accessing the file.
Successful exploits allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions.
Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a very popular multimedia player. A heap overflow vulnerability exists in QuickTime's handling of Track Header (tkhd) atoms. Viewing a specially crafted video could cause an unexpected application termination or arbitrary code execution. ======================================================================
Secunia Research 08/12/2010
- QuickTime Track Dimensions Buffer Overflow Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Apple QuickTime 7.6.6 and 7.6.8
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"When you hop aboard QuickTime 7 Player, you\x92re assured of a truly
rich multimedia experience.".
Product Link:
http://www.apple.com/quicktime/player/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in QuickTime, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused by a boundary error when copying track
content based on the track's dimensions and can be exploited to cause
a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code.
======================================================================
5) Solution
Update to version 7.6.9
======================================================================
6) Time Table
04/05/2010 - Vendor notified.
05/05/2010 - Vendor response.
12/10/2010 - Vendor provides status update.
08/12/2010 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-1508 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-72/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT4447
-- Disclosure Timeline:
2010-01-06 - Vulnerability reported to vendor
2010-12-07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Moritz Jodeit of n.runs AG
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi