English

Calendar Discussions Polls

RSS feeds Subscriptions Contacts

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Watch us on

Home→Descriptions→SA27361

RealPlayer/RealOne/HelixPlayer Multiple Buffer Overflows

Secunia ID	SA27361
CVE-ID	CVE-2007-2263, CVE-2007-2264, CVE-2007-3410, CVE-2007-4599, CVE-2007-5080, CVE-2007-5081
Release Date	26 Oct 2007
Last Change	19 Nov 2007
Criticality	Highly Critical
Solution Status	Vendor Patch
Software	Helix Player 1.x RealOne Player 1.x RealOne Player 2.x RealPlayer 10.x RealPlayer Enterprise 1.x
Where	From remote
Impact	System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.
Description	Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user's system. 1) An integer overflow error when processing Lyrics3 v2.00 tags in MP3 files can be exploited to cause a heap-based buffer overflow via a specially crafted MP3 file. 2) An input validation error when processing .RA/.RAM files can be exploited to cause a heap corruption via a specially crafted .RA/.RAM file with an overly large size field in the header. 3) An error in the processing of .PLS files can be exploited to cause a memory corruption and execute arbitrary code via a specially crafted .PLS file. 4) An input validation error when parsing .SWF files can be exploited to cause a buffer overflow via a specially crafted .SWF file with malformed record headers. 5) A boundary error when processing rm files can be exploited to cause a buffer overflow. 6) A boundary error when processing SMIL files can be exploited to cause a stack-based buffer overflow. For more information: SA25819 Successful exploitation of the vulnerabilities allows execution of arbitrary code. The following products are affected by one or all vulnerabilities (see vendor's advisory for details): * RealPlayer 10.5 (6.0.12.1040-6.0.12.1578, 6.0.12.1698, 6.0.12.1741) * RealPlayer 10 * RealOne Player v2 * RealOne Player v1 * RealPlayer 8 * RealPlayer Enterprise * Mac RealPlayer 10.1 (10.0.0. 481) * Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.412) * Mac RealPlayer 10 (10.0.0.352) * Mac RealPlayer 10 (10.0.0.305 - 331) * Mac RealOne Player * Linux RealPlayer 10 (10.0.5 - 10.0.8) * Helix Player (10.0.5 - 10.0.8)
Solution	Update to the latest versions. Please see the vendor's advisory for details. http://service.real.com/realplayer/security/10252007_player/en/
Reported by	1) John Heasman, NGSSoftware 2) Anonymous researcher, reported via ZDI 3) Anonymous researcher, reported via ZDI 4) Anonymous researcher, reported via ZDI The vendor also credits: * Piotr Bania
Original Advisory	RealNetworks: http://service.real.com/realplayer/security/10252007_player/en/ NGSSoftware: http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-real-player-id3-tags/ ZDI: http://www.zerodayinitiative.com/advisories/ZDI-07-063.html http://www.zerodayinitiative.com/advisories/ZDI-07-062.html http://www.zerodayinitiative.com/advisories/ZDI-07-061.html