Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities
By Sowhat of Nevis Labs
Date: 2006.03.22
http://www.nevisnetworks.com
http://secway.org/advisory/AD20060322.txt
CVE: CVE-2006-0323
US CERT: VU#231028
Vendor
RealNetworks Inc.
Products affected:
Windows
RealPlayer 8
RealOne Player & RealOne Player V2
RealPlayer 10
RealPlayer 10.5
Macintosh
RealOne Player
RealPlayer 10
Linux
RealPlayer 10
Overview:
RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. For more information, visit
http://www.real.com/.
Details:
There are multiple vulnerabilities found in swfformat.dll.
A carefully crafted .swf file may execute arbitrary code or crash the
RealPlayer.
By persuading a user to access a specially crafted SWF file with RealPlayer,
a remote attacker may be able to execute arbitrary code.
And also, these vulnerabilities can be triggered remotely through ActiveX
in IE.
By setting the size of SWF files to a value smaller than the actual size,
you can trigger one of the vulnerabilities.
Actually, there are multiple holes that have been fixed in swfformat.dll.
POC:
No PoC will be released for this.
FIX:
http://service.real.com/realplayer/security/03162006_player/en/
Vendor Response:
2005.10.07 Vendor notified via email
2005.10.07 Vendor responded
2005.03.22 Patch released
2006.04.11 Advisory released
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2006-0323
Greetings to Paul [email protected], Chi, OYXin, Narasimha Datta and all
Nevis Labs guys.
References:
–
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/