Wednesday, June 27, 2007

[NEWS] RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow
Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.real.com/realplayer.html> RealPlayer is "an application for
playing various media formats, developed by RealNetworks Inc. HelixPlayer
is the open source version of RealPlayer". Synchronized Multimedia
Integration Language (
<http://en.wikipedia.org/wiki/Synchronized_Multimedia_Integration_Language> SMIL) is "a markup language used to specify the use of several multi-media concepts when rendering media. Some such concepts are timing, transitions, and embedding". Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user.

DETAILS

Vulnerable Systems:
* RealNetworks' RealPlayer and HelixPlayer version 10.5-GOLD

Immune Systems:
*

The issue specifically exists in the handling of HH:mm:ss.f time formats
by the 'wallclock' functionality within the code supporting SMIL2. An
excerpt from the code follows.

924 HX_RESULT
925 SmilTimeValue::parseWallClockValue(REF(const char*) pCh)
926 {
...
957 char buf[10]; /* Flawfinder: ignore */
...
962 while (*pCh)
963 {
...
972 else if (isspace(*pCh) || *pCh == '+' || *pCh == '-' ||
*pCh == 'Z')
973 {
974 // this will find the last +, - or Z... which is
what we want.
975 pTimeZone = pCh;
976 }
...
982 ++pCh;
983 }
...
1101 if (pTimePos)
1102 {
1103 //HH:MM...
....
1133 if (*(pos-1) == ':')
1134 {
....
1148 if (*(pos-1) == '.')
1149 {
1150 // find end.
1151 UINT32 len = 0;
1152 if (pTimeZone)
1153 {
1154 len = pTimeZone - pos;
1155 }
1156 else
1157 {
1158 len = end - pos;
1159 }
1160 strncpy(buf, pos, len); /* Flawfinder: ignore */

The stack buffer is declared to be 10 bytes on line 957. You can see that
it has a comment which will cause the FlawFinder program to ignore this
buffer.

The loop, which begins on line 962, runs through the parameter to the
function looking for characters that denote different sections of the time
format. When it encounters white space, or the +, -, or Z characters it
will record the location for later use. If a time was located and it
contains both a colon and a period the vulnerable code will be reached.

The length of data to copy into the stack buffer is calculated either on
line 1154 or line 1158 depending on whether or not a timezone is present.
Neither calculations take into consideration the constant length of the
'buf' buffer and therefore a stack-based buffer overflow can occur on line
1160. Again, notice that this unsafe use of strncpy() is also marked with
a FlawFinder ignore comment.

Analysis:
Exploitation requires that an attacker persuade a user to supply
RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For
example, this can be accomplished by convincing them to visit a malicious
web page.

The data that is used to overflow the buffer is quite limited in the range
of characters that are allowed. However, given the ease of address space
manipulation within web browsers, exploitation is not substantially
impacted by this limitation.

The RealPlayer plug-in can be referenced within a web browser by using
CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA CLSID.

Workaround:
For Windows systems, setting the kill-bit for the associated CLSID,
despite greatly reducing the media player's functionality, will mitigate
exploitation. It should be noted that the CLSID listed may not be the only
CLSID allowing access to the vulnerable code.

Vendor response:
RealNetworks has addressed this vulnerability by releasing fixed versions
of their software.

RealNetworks has not provided iDefense with any links referring to updated
packages or advisories. Installing the latest version from their web site
will address the vulnerability.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3410>
CVE-2007-3410

Disclosure Timeline:
10/02/2006 - Initial vendor notification
10/03/2006 - Initial vendor response
06/26/2007 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment