Realplayer .SWF Multiple Remote Memory Corruption Vulnerabilities By Sowhat of Nevis Labs Date: 2006.03.22 http://www.nevisnetworks.com http://secway.org/advisory/AD20060322.txt CVE: CVE-2006-0323 US CERT: VU#231028 Vendor RealNetworks Inc. Products affected: Windows RealPlayer 8 RealOne Player & RealOne Player V2 RealPlayer 10 RealPlayer 10.5 Macintosh RealOne Player RealPlayer 10 Linux RealPlayer 10 Overview: RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. For more information, visit http://www.real.com/. Details: There are multiple vulnerabilities found in swfformat.dll. A carefully crafted .swf file may execute arbitrary code or crash the RealPlayer. By persuading a user to access a specially crafted SWF file with RealPlayer, a remote attacker may be able to execute arbitrary code. And also, these vulnerabilities can be triggered remotely through ActiveX in IE. By setting the size of SWF files to a value smaller than the actual size, you can trigger one of the vulnerabilities. Actually, there are multiple holes that have been fixed in swfformat.dll. POC: No PoC will be released for this. FIX: http://service.real.com/realplayer/security/03162006_player/en/ Vendor Response: 2005.10.07 Vendor notified via email 2005.10.07 Vendor responded 2005.03.22 Patch released 2006.04.11 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-0323 Greetings to Paul Gese@real.com, Chi, OYXin, Narasimha Datta and all Nevis Labs guys. References: 1. http://service.real.com/realplayer/security/03162006_player/en/ 2. http://www.kb.cert.org/vuls/id/231028 3. http://www.macromedia.com/licensing/developer/fileformat/faq/ 4. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323 5. http://www.gentoo.org/security/en/glsa/glsa-200603-24.xml 6. http://www.novell.com/linux/security/advisories/2006_18_realplayer.html 7. http://secunia.com/advisories/19358/ -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"