TITLE: RealPlayer/RealOne/HelixPlayer "rm" and "rjs" File Handling Buffer Overflow SECUNIA ADVISORY ID: SA17514 VERIFY ADVISORY: http://secunia.com/advisories/17514/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Helix Player 1.x http://secunia.com/product/3970/ RealOne Player v1 http://secunia.com/product/666/ RealOne Player v2 http://secunia.com/product/2378/ RealPlayer 10.x http://secunia.com/product/2968/ RealPlayer Enterprise 1.x http://secunia.com/product/3342/ DESCRIPTION: eEye Digital Security has reported two vulnerabilities in RealPlayer, RealOne, and HelixPlayer, which can be exploited by malicious people to compromise a user's system. 1) A signedness error exists when handling the first data packet in a Real Media ".rm" file. This can be exploited to cause a stack-based buffer overflow via a specially crafted ".rm" file that contains values between 0x80 and 0xFF in the application-specific length field. Successful exploitation allows arbitrary code execution. The vulnerability has been reported in the following versions: * RealPlayer 10.5 (6.0.12.1040-1235) (Windows) * RealPlayer 10 (Windows) * RealOne Player v1 (Windows) * RealOne Player v2 (Windows) * RealPlayer 8 (Windows) * RealPlayer Enterprise versions 1.1, 1.2, 1.5, 1.6 and 1.7 (Windows) * RealPlayer 10 (10.0.0.305 - 331) (Mac) * RealPlayer 10 (10.0.0 - 10.0.5) (Linux) * Helix Player (10.0.0 - 10.0.5) (Linux) 2) A boundary error exists when extracting a RealPlayer skin ".rjs" file. This can be exploited to cause a heap-based buffer overflow in DUNZIP32.DLL via a malicious ".rjs" file with a specially-crafted file length field. The vulnerability has been reported in following versions: * RealPlayer 10.5 (6.0.12.1040-1235) (Windows) * RealPlayer 10 (Windows) * RealOne Player v1 (Windows) * RealOne Player v2 (Windows) * RealPlayer 8 (Windows) SOLUTION: Update to the fixed versions: -- Windows Platform -- RealPlayer 10.5 / RealOne Player v1 (English only) / RealOne Player v2 / RealPlayer 10: Update to the latest version via "Check for Update" on the "Tools" menu, or download patch from vendor's website. http://service.real.com/help/faq/security/051110_player/EN/ RealPlayer 8 (version 6.0.9.584): Update to the latest version via "Check for Update" on the "Help" menu, or download patch from vendor's website. http://service.real.com/help/faq/security/051110_player/EN/ RealPlayer Enterprise: Apply patch. http://service.real.com/help/faq/security/security111005.html -- Mac OS X Platform -- RealPlayer 10: Update to the latest version via "Check for Update" on the "RealPlayer" menu. RealOne Player for Mac OS X users need to upgrade to RealPlayer 10 for Mac OS X and then apply the update. -- Linux Platform -- RealPlayer 10 for Linux: http://www.real.com/linux Helix Player for Linux: https://player.helixcommunity.org/2005/downloads/ PROVIDED AND/OR DISCOVERED BY: 1) Karl Lynn, eEye Digital Security. 2) Fang Xing, eEye Digital Security. The vendor also credits John Heasman of NGS Software. ORIGINAL ADVISORY: RealNetworks: http://service.real.com/help/faq/security/051110_player/EN/ http://service.real.com/help/faq/security/security111005.html eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20051110a.html http://www.eeye.com/html/research/advisories/AD20051110b.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------