SecurityTracker.com Archives - RealPlayer ActiveX Control Memory Corruption Bug May Let Remote Users Execute Abitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Multimedia) > RealOne (RealPlayer)

Vendors: RealNetworks

RealPlayer ActiveX Control Memory Corruption Bug May Let Remote Users Execute Abitrary Code

SecurityTracker Alert ID: 1019576

SecurityTracker URL: http://securitytracker.com/id?1019576

CVE Reference: CVE-2008-1309 (Links to External Site)

Updated: Mar 19 2008

Original Entry Date: Mar 11 2008

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): rmoc3260.dll version 6.0.10.45

Description: A vulnerability was reported in RealPlayer. A remote user may be able to cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in 'rmoc3260.dll' and potentially execute arbitrary code on the target system. The code will run with the privileges of the target user.

The CLSIDs of the vulnerable control are: 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93, CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

Elazar Broad reported this vulnerability.

Impact: A remote user can create HTML that, when loaded by the target user, may execute arbitrary code on the target user's system.

Solution: No solution was available at the time of this entry.

Vendor URL: www.real.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Reported By: "Elazar Broad" <elazar@hushmail.com>

Message History: None.

Source Message Contents

Date: Mon, 10 Mar 2008 05:50:57 +0000
From: "Elazar Broad" <elazar@hushmail.com>
Subject: [Full-disclosure] Real Networks RealPlayer ActiveX Control Heap

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Real Networks
http://www.real.com

What:
Real Networks Real Player is a popular media player.

How:
Real Player utilizes an ActiveX control to play content within the
users browser.

rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

It is possible to modify heap blocks after they are freed and
overwrite certain registers, possibly allowing code execution. Like
so:

- ------------
var buf = '';
while (buf.length < 1005) buf = buf + 'A';

m = obj.Console;
obj.Console = buf;
obj.Console = m

//repeat
m = obj.Console;
obj.Console = buf;
obj.Console = m --> Should crash here
- -------------

Workaround:
Set the killbit for this control. See
http://support.microsoft.com/kb/240797

Fix:
No official fix known

Exploit:
Working on it

Elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkfUzEEACgkQi04xwClgpZhsDQP+OPMkrAZcp/kR1MCleBervmVYPRc1
2cMRLBbhFcUC7Uc/ajXmKe6naZEr1RqKzHBrugWZeANkP5gdk/Kd/fOXacCZcVApXSJj
OcopiKRr7tnTi13Rt4XW4oBRjpiWHyHxFZA06Jzc2JJHeF7sTrew+s43PTU1eaj9/w4o
Nf0Ydt8=
=IpTC
-----END PGP SIGNATURE-----

--
Energy Saving Heating and Cooling Systems. Click for free information.
http://tagline.hushmail.com/fc/Ioyw6h4dbo0qfLJjDSbocxFRYwpBkZwjS6vzQEbs8WmdoAPvpevJZe/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC