HOME > ADVISORIES


   ADVISORY

 

CERT-In Advisory CIAD-2010-07
Multiple Security Vulnerabilities RealNetworks RealPlayer

Original Issue Date: February 08, 2010

Severity Rating:High

System Affected

  • RealPlayer SP versions 1.x
  • RealPlayer versions 11.x
  • RealPlayer versions 10.x
  • RealPlayer Enterprise
  • Mac RealPlayer versions 11.x
  • Mac RealPlayer versions 10.x
  • Linux RealPlayer versions 11.x
  • Linux RealPlayer versions 10.x
  • Helix Player versions 11.x
  • Helix Player versions 10.x

Overview

Multiple Security vulnerabilities have been reported in RealNetworks RealPlayer, which could be exploited by remote attackers to execute an arbitrary code, cause Denial of Service condition or take complete control of an affected system.

Description

1. IVR File Parsing Multiple Buffer Overflow Vulnerabilities
    (CVE-2009-0375 , CVE-2009-0376)

Multiple Buffer Overflow Vulnerabilities have been reported in RealPlayer caused due to improper bounds checking of filename lengths when processing Internet Video Recording (IVR) files. A remote attacker could exploit these vulnerabilities via a specially crafted Internet Video Recording (IVR) file with a filename length field containing a large integer, which triggers overwrite of an arbitrary memory location with a 0x00 byte value.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

2. ASM Rulebook Remote Code Execution Vulnerability   
    (CVE-2009-4241)

This Vulnerability is caused due to an error when parsing of files with improperly defined ASM RuleBook structures in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted ASM RuleBook to trigger a heap overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

3. GIF Handling Remote Code Execution Vulnerability
    (CVE-2009-4242)

This Vulnerability is caused due to an error when parsing of GIF files with forged chunk sizes in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted GIF file with crafted chunk sizes to trigger improper memory allocation error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

4. HTTP chunk encoding buffer overflow Vulnerability
    (CVE-2009-4243)

This Vulnerability is caused due to improper bounds checking error when encoding of received HTTP chunks in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted media file to trigger an integer overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.


5. SIPR Codec Remote Code Execution Vulnerability
    (CVE-2009-4244)

This Vulnerability is caused due to an error when parsing of GIF files with forged chunk sizes in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted GIF file with crafted chunk sizes to trigger improper memory allocation error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

6. GIF compressed image file Heap-based buffer overflow     Vulnerability (CVE-2009-4245)

This Vulnerability is caused due to improper validation of a certain field when processing compressed GIF images in " CGIFCodec::InitDecompress() " function in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted compressed GIF image file to trigger heap overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

7. Skin Parsing Stack Overflow Vulnerability (CVE-2009-4246)

This Vulnerability is caused due to a boundary error when processing certain fields from the web.xmb file when parsing .RJS skin files in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted .RJS skin file that contains a web.xmb file with crafted length values to trigger Stack Overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

8. ASM RuleBook Array Overflow Vulnerability
    (CVE-2009-4247)

This Vulnerability is caused due to an unspecified error when parsing of ASMRuleBook in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted ASM RuleBook to trigger an array overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

9. RTSP set_parameter buffer overflow Vulnerability
    (CVE-2009-4248)

This Vulnerability is caused due to an integer overflow error within the "CMediumBlockAllocator::Alloc()" function in RealPlayer. A remote attacker could exploit this vulnerability via a specially crafted RTSP set_parameter value to trigger heap overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code or cause Denial of Service (DoS) condition.

10. SMIL Parsing Heap Overflow Vulnerability (CVE-2009-4257)

This Vulnerability is caused due to improper bounds checking error related to "getAtom" in smlrender.dll file in RealPlayer. A remote attacker could exploit this vulnerability by tricking user to open a specially crafted SMIL file with crafted string lengths to trigger heap overflow error. Successful exploitation of this vulnerability could allow a remoter attacker to execute an arbitrary code in the context of the user running the process or cause Denial of Service (DoS) condition.

Solution

Upgrade to fixed versions :
http://service.real.com/realplayer/security/01192010_player/en/

Vendor Information

RealNetworks, Inc.
http://service.real.com/realplayer/security/01192010_player/en/

References

Secunia
http://secunia.com/advisories/38218/

SecurityFocus
http://www.securityfocus.com/bid/37880/
http://www.securityfocus.com/bid/33652

SecurityTracker
http://securitytracker.com/alerts/2010/Jan/1023489.html

ISS X-Force
http://xforce.iss.net/xforce/xfdb/55794
http://xforce.iss.net/xforce/xfdb/48567
http://xforce.iss.net/xforce/xfdb/48568
http://xforce.iss.net/xforce/xfdb/55795
http://xforce.iss.net/xforce/xfdb/55796
http://xforce.iss.net/xforce/xfdb/55797
http://xforce.iss.net/xforce/xfdb/55800
http://xforce.iss.net/xforce/xfdb/55799
http://xforce.iss.net/xforce/xfdb/55802
http://xforce.iss.net/xforce/xfdb/55801
http://xforce.iss.net/xforce/xfdb/55798

Zero Day
http://www.zerodayinitiative.com/advisories/ZDI-10-005/
http://www.zerodayinitiative.com/advisories/ZDI-10-009/
http://www.zerodayinitiative.com/advisories/ZDI-10-006/
http://www.zerodayinitiative.com/advisories/ZDI-10-008/
http://www.zerodayinitiative.com/advisories/ZDI-10-010/
http://www.zerodayinitiative.com/advisories/ZDI-10-007/

VUPEN
http://www.vupen.com/english/advisories/2010/0178

CVE Name
CVE-2009-0375
CVE-2009-0376
CVE-2009-4241
CVE-2009-4242
CVE-2009-4243
CVE-2009-4244
CVE-2009-4245
CVE-2009-4246
CVE-2009-4247
CVE-2009-4248
CVE-2009-4257

CWE
CWE-94
CWE-119

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003