The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
RealPlayer Data Packet Stack Overflow
Release Date:
November 10, 2005
Date Reported:
May 28, 2005
Severity:
High (Remote Code Execution)
Vendor:
RealNetworks
Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
Mac:
RealPlayer 10
Linux:
RealPlayer 10 (10.0.0 - 5)
Helix Player (10.0.0 - 5)
Overview:
eEye Digital Security has discovered a critical vulnerability in
RealPlayer. The vulnerability allows a remote attacker to reliably
overwrite stack memory with arbitrary data and execute arbitrary code in
the context of the user who executed the player.
This specific flaw exists in the first data packet contained in a Real
Media file. By specially crafting a malformed .rm movie file, a direct
stack overwrite is triggered, and reliable code execution is then
possible.
Technical Details:
The vulnerability is triggered by setting the application specific
length field of the [data packet + 1] to 0x80 - 0xFF this will cause a
stack overflow.
The value is sign-extended and passed as the length to memcpy.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink End Point Protection proactively protects against this
vulnerability
Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar or from
http://service.real.com/realplayer/security/.
Credit:
Karl Lynn
Related Links:
This advisory has been assigned the following ID numbers;
EEYEB-20050510
OSVDB ID: 18822
CVE ID: CAN-2005-2629
Greetings:
Brett Moore, Mark Dowd, Paul Gese @ RealNetworks, Mike Schiffman, AJREZ,
Luke, Derek "TEX" Soeder, Andre Audits, "The Claw", and Dug Song.
Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert (at) eEye (dot) com [email concealed] for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum