Information Assurance

WILLIAM A. LICAMELE


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Heap-based buffer overflow: REALPLAYER
http://www.real.com

back to bugtraq analyses page

BugTrack March 23, 2006

REALPLAYER EXPLOIT

What is effected?

RealPlayer: An application for playing music and video media.

Versions affected:
RealPlayer 8
RealPlayer 10
RealPlayer 10.5
RealOne Player v1
RealOne Player v2
What the problem is?

Buffer overflow: A heap-based overflow in RealPlayer allows the execution of arbitrary code. This vulnerability is due to the handling of the "chunked" Transfer-Encoding method. This method takes files to be sent and splits them into chunks. For each chunk, the server sends a hexadecimal which represents the length of the chunk, followed by the chunked data. This is done to all of the data until the entire file or files are sent. The end of the file transfer is represented by a chunk length of 0.


There are 3 ways of exploiting this vulnerability:
1) Not sending a chunk header before sending malicious data.
2) Sending a well-formed chunk header with a length of -1 (FFFFFFFF) followed by malicious data.
3) Sending a well-formed chunk header with a length specified which is less than the amount of data that will be sent, followed by malicious data.


These three can cases result in heap overflows. Not sending a chuck header before sending the data seems to cause the programs to crash.

In order for this malicious code to be sent, an attacker would need to coerce a user to follow a link to a malicious server. Once this is done the user is in the hands of the attacker.

What could have prevented it?

This vulnerability could have been avoided several ways. Checks for potential malicious code could have been made by RealPlayer The easiest way would be to simply have a positive non zero value required as the header, and check that the files length matches what the header specifies.

What can be done to work around it?

There is no way to completely protect yourself from this vulnerability but to refrain from following stray links will keep one safe from harm. Disabling ActiveX controls and plugins, if not necessary for daily operations, can also help. This can be done by:
1) In IE, click on Tools and select Internet Options from the drop-down menu.
2) Click the Security tab and the Custom Level button.
3) Under ActiveX Controls and Plugins, then Run Activex Controls and Plugins, click the Disable radio button.

What can be done to prevent it from occurring in the future?

RealPlayer has posted updates to fix this exploit. In general, buffers should always be checked for potential overflows. Most exploits are centered around the buffer overflow.