BugTraq
RealNetworks fails to address Cross-Site Scripting in RealOne Player Jan 07 2004 03:14AM
Arman Nayyeri (arman-n Phreaker net)


RealNetworks fails to address Cross-Site Scripting in RealOne Player

====================================================================

Title: RealNetworks fails to address Cross-Site Scripting in RealOne

Date: Tuesday, January 06, 2004

Software: RealOne Player

Vendor: RealNetworks

Patch: N/A

Author: Arman Nayyeri, arman-n[at]Phreaker[dot]net

Description:

============

The security update August 19 ,2003 fails to address the Cross-Site

scripting vulnerability that has been founded later in .SMI file in

RealOne player.

First time, when I research about SMI files in realone I test javascript:

protocol and I wonder that how this simple vulnerability exists in

realone, but when I search the web I see that this vulnerability has

already been discovered. So I download the latest version of realone

and work on it, and after an hour, I have an exploit that works perfect

in the new realone player.

I replace javascript: with file:javascript: in the SMI file.(heh!)

I don't know how RealNetworks say:

"all security vulnerabilities are taken very seriously by RealNetworks"

I'm waiting for the next patch to come and have some fun!

I don't want to annoy realnetworks but it's funny that their

vulnerabilities will never exploited and used for attacks, because

RealNetworks keep sayin':

"While we have not received reports of anyone actually being attacked

with this exploit"

so,I recommend attack with my exploit (AT YOUR OWN RISK!) to your friend

and say to he/she to report this attack to realnetworks to see what

realnetworks will write!

ok, back to business;

we see that realone easily allow file:javascript: to be executed in

the security zone of last page that you loaded into it, that can be

"My Computer" or "Local Intranet" zone too.

Exploit:

========

I use RealNetworks firstrun.smi as a template for my work and use jelmer's

adodb.stream for executing of exe file! as easy as this!

but there is so much problems for me to make the exploit to work!

because when I use file: before javascript: this things happens:

1.we can't use """ and "<" and ">" because of SMI file TAGs

2.in URL all spaces become %20 and prevent script to be executed correctly

3.in URL all "/"s become "\"s

4.we can't directly use "file:javascript:[JSCODE]" because of last two

problems

so I use "file:javascript:document.write('[JSCODE]')".

and translate all of the above bad characters to "\u[unicode]",

and also our URL that contains jscode must be less that 512(almost) bytes.

I load res: and then "file:javascript:document.write('[adodb.stream code]')".

this is the exploit that I provided (harmless .exe):

http://www.freewebs.com/arman2/arealexploit.htm

and also there is a zip file that contains the SMI file, if you want to

know what code is in .SMI!

and also this exploit will work even if active scripting is disabled!

and sorry for my bad english!

Exploit Tested On

=================

RealOne Player (win32)

Version 2.0

Helix Powered

Build 6.0.11.868

And also work on

RealOne Player (win32)

Version 1.0

Special Thanks

==============

Jelmer said:

"I am pretty sure there are still some *very serious* issues out there

with a few leading apps, like

sun java

winamp

realplayer

and probably icq"

as you can see, realplayer is one of them!

next one, likely winamp!(5.0 with many new capabilities!WOW!)

Do I discover more vulnerabilities?

===================================

[STILL] YOU AIN'T SEEN NOTHING YET!

Disclaimer:

===========

Arman Nayyeri is not responsible for the misuse of the information

provided in this advisory. The opinions expressed are my own and not of

any company. In no event shall the author be liable for any damages

whatsoever arising out of or in connection with the use or spread of this

advisory. Any use of the information is at the user's own risk.

~~~~~~~~~~~~~~

Arman Nayyeri

MCP, MCSA 2000, MCSE 2000

Iran

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus