SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   RealPlayer Enterprise Vendors:   RealNetworks
RealPlayer Enterprise MP3, RAM, RealText and AVI Processing Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014279
SecurityTracker URL:  http://securitytracker.com/id/1014279
CVE Reference:   CAN-2005-1766   (Links to External Site)
Date:  Jun 23 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1, 1.2, 1.5, 1.6 and 1.7
Description:   Several vulnerabilities were reported in RealPlayer Enterprise. A remote user can execute arbitrary code or create files on the target user's system.

A remote user can create a specially crafted MP3 or RAM file that, when loaded by the target user, will overwrite local files or invoke an ActiveX control on the target user's system.

A remote user can create a RealMedia file containing specially crafted RealText that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target user's system.

A remote user can create a specially crafted AVI file to trigger a buffer overflow and execute arbitrary code on the target user's system.

A remote user can create HTML that, when loaded by the target user, will create an HTML file on the target user's system and then invoke a RM file to reference the local HTML file.

The vendor credits John Heasman of NGS Software, iDEFENSE Labs, and eEye Digital Security with reporting these vulnerabilities.

Impact:   A remote user can execute arbitrary code on the target user's system with the privileges of the target user.

A remote user can create files on the target user's system.

Solution:   The vendor has issued a fix with the following updated DLLs.

rtff3260.dll http://docs.real.com/docs/enterprise/rtff3260.dll
vidp3260.dll http://docs.real.com/docs/enterprise/vidp3260.dll
rcap3260.dll http://docs.real.com/docs/enterprise/rcap3260.dll
chia3260.dll http://docs.real.com/docs/enterprise/chia3260.dll

The vendor indicates that you should copy these files into the \Program Files\Common\Real\Common directory of an existing RPEM/RDM install.

Vendor URL:  www.service.real.com/help/faq/security/security062305.html (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:   Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 23 2005 (Red Hat Issues Fix for Helix Player) RealPlayer Enterprise MP3, RAM, RealText and AVI Processing Bugs Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for HelixPlayer.
Jun 23 2005 (Red Hat Issues Fix for RealPlayer) RealPlayer Enterprise MP3, RAM, RealText and AVI Processing Bugs Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for RealPlayer.
Jul 5 2005 (Red Hat Issues Fix) RealPlayer Enterprise MP3, RAM, RealText and AVI Processing Bugs Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux Extras.



 Source Message Contents

Date:  Thu, 23 Jun 2005 16:06:45 -0400
Subject:  http://www.service.real.com/help/faq/security/security062305.html



>     *  Exploit 1: To fashion a malicious MP3 file RAM file to allow the overwriting 
> of a local file or execution of an ActiveX control on a customer's machine.
>     * Exploit 2: To fashion a malicious RealMedia file which uses RealText to cause 
> a heap overflow which could allow an attacker to execute arbitrary code on a 
> customer's machine.
>     * Exploit 3: To fashion a malicious AVI file to cause a buffer overflow which 
> could have allowed an attacker to execute arbitrary code on a customer's machine.
>     * Exploit 4: Using default settings of earlier Internet Explorer browsers, a 
> malicious website could cause a local HTML file to be created and then trigger an RM 
> file to play which would then reference this local HTML file.


> RealNetworks would like to acknowledge John Heasman of NGS Software, iDEFENSE Labs,
> and eEye Digital Security for bringing these exploits to our attention as well as 
> those who subsequently worked with RealNetworks to correct the vulnerabilities.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC