RealPlayer Enterprise MP3, RAM, RealText and AVI Processing Bugs Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014279 |
|
SecurityTracker URL: http://securitytracker.com/id/1014279
|
|
CVE Reference:
CAN-2005-1766
(Links to External Site)
|
Date: Jun 23 2005
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.1, 1.2, 1.5, 1.6 and 1.7
|
Description:
Several vulnerabilities were reported in RealPlayer Enterprise. A remote user can execute arbitrary code or create files on the target user's system.
A remote user can create a specially crafted MP3 or RAM file that, when loaded by the target user, will overwrite local files or invoke an ActiveX control on the target user's system.
A remote user can create a RealMedia file containing specially crafted RealText that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target user's system.
A remote user can create a specially crafted AVI file to trigger a buffer overflow and execute arbitrary code on the target user's system.
A remote user can create HTML that, when loaded by the target user, will create an HTML file on the target user's system and then invoke a RM file to reference the local HTML file.
The vendor credits John Heasman of NGS Software, iDEFENSE Labs, and eEye Digital Security with reporting these vulnerabilities.
|
Impact:
A remote user can execute arbitrary code on the target user's system with the privileges of the target user.
A remote user can create files on the target user's system.
|
Solution:
The vendor has issued a fix with the following updated DLLs.
rtff3260.dll http://docs.real.com/docs/enterprise/rtff3260.dll
vidp3260.dll http://docs.real.com/docs/enterprise/vidp3260.dll
rcap3260.dll http://docs.real.com/docs/enterprise/rcap3260.dll
chia3260.dll http://docs.real.com/docs/enterprise/chia3260.dll
The vendor indicates that you should copy these files into the \Program Files\Common\Real\Common directory of an existing RPEM/RDM install.
|
Vendor URL: www.service.real.com/help/faq/security/security062305.html (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 23 Jun 2005 16:06:45 -0400
Subject: http://www.service.real.com/help/faq/security/security062305.html
|
> * Exploit 1: To fashion a malicious MP3 file RAM file to allow the overwriting
> of a local file or execution of an ActiveX control on a customer's machine.
> * Exploit 2: To fashion a malicious RealMedia file which uses RealText to cause
> a heap overflow which could allow an attacker to execute arbitrary code on a
> customer's machine.
> * Exploit 3: To fashion a malicious AVI file to cause a buffer overflow which
> could have allowed an attacker to execute arbitrary code on a customer's machine.
> * Exploit 4: Using default settings of earlier Internet Explorer browsers, a
> malicious website could cause a local HTML file to be created and then trigger an RM
> file to play which would then reference this local HTML file.
> RealNetworks would like to acknowledge John Heasman of NGS Software, iDEFENSE Labs,
> and eEye Digital Security for bringing these exploits to our attention as well as
> those who subsequently worked with RealNetworks to correct the vulnerabilities.
|
|
