CVE-2011-1525 : Detail

CVE-2011-1525

Overflow
49.49%V3
Network
2011-04-06
14h00 +00:00
2018-10-09
16h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Heap-based buffer overflow in rvrender.dll in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.2, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via a crafted frame in an Internet Video Recording (IVR) file.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 17019

Publication date : 2011-03-20 23h00 +00:00
Author : Luigi Auriemma
EDB Verified : No

####################################################################### Luigi Auriemma Application: RealPlayer http://www.real.com Versions: <= 14.0.1.633 Platforms: Windows, Macintosh OSX, Linux, Symbian, Palm Bug: heap overflow Exploitation: remote Date: 21 Mar 2011 (found 17 Feb 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== RealPlayer is an ugly media player developed by RealNetwork and used mainly for its browser's plugin supporting the proprietary file formats of its developer. ####################################################################### ====== 2) Bug ====== Classical heap overflow during the handling of the IVR files caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer. From rvrender.dll (base address 63AE0000): 63AF5C70 /$ 55 PUSH EBP 63AF5C71 |. 8BEC MOV EBP,ESP 63AF5C73 |. 83EC 20 SUB ESP,20 63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 63AF5C79 |. 56 PUSH ESI 63AF5C7A |. 57 PUSH EDI 63AF5C7B |. 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4] 63AF5C7E |. 8A07 MOV AL,BYTE PTR DS:[EDI] ; byte at offset 0x7800 of the PoC 63AF5C80 |. 24 E0 AND AL,0E0 63AF5C82 |. 33F6 XOR ESI,ESI 63AF5C84 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX 63AF5C87 |. 3C E0 CMP AL,0E0 ; (byte & 0xe0) == 0xe0 63AF5C89 |. 0F85 46010000 JNZ rvrender.63AF5DD5 63AF5C8F |. 8B0A MOV ECX,DWORD PTR DS:[EDX] ; 32bit value at offset 0x77f8 (allocation) 63AF5C91 |. 47 INC EDI 63AF5C92 |. 83E9 01 SUB ECX,1 63AF5C95 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 63AF5C98 |. 8975 E8 MOV DWORD PTR SS:[EBP-18],ESI 63AF5C9B |. C745 EC 01000000 MOV DWORD PTR SS:[EBP-14],1 63AF5CA2 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 63AF5CA5 |. 0F84 38010000 JE rvrender.63AF5DE3 63AF5CAB |. 53 PUSH EBX 63AF5CAC |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 63AF5CB0 |> 57 /PUSH EDI 63AF5CB1 |. 8D4D FC |LEA ECX,DWORD PTR SS:[EBP-4] 63AF5CB4 |. 51 |PUSH ECX 63AF5CB5 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18] 63AF5CB8 |. 52 |PUSH EDX 63AF5CB9 |. E8 92010000 |CALL rvrender.63AF5E50 63AF5CBE |. 03F8 |ADD EDI,EAX 63AF5CC0 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX 63AF5CC3 |. 66:0FB607 |MOVZX AX,BYTE PTR DS:[EDI] 63AF5CC7 |. 0FB7C8 |MOVZX ECX,AX 63AF5CCA |. 83C4 0C |ADD ESP,0C 63AF5CCD |. 84C9 |TEST CL,CL 63AF5CCF |. 79 0D |JNS SHORT rvrender.63AF5CDE 63AF5CD1 |. 83E1 7F |AND ECX,7F 63AF5CD4 |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX 63AF5CD7 |. B8 01000000 |MOV EAX,1 63AF5CDC |. EB 1E |JMP SHORT rvrender.63AF5CFC 63AF5CDE |> 66:0FB64F 01 |MOVZX CX,BYTE PTR DS:[EDI+1] 63AF5CE3 |. C1E0 08 |SHL EAX,8 63AF5CE6 |. 66:0BC8 |OR CX,AX 63AF5CE9 |. BA FF7F0000 |MOV EDX,7FFF 63AF5CEE |. 66:23CA |AND CX,DX 63AF5CF1 |. 0FB7C1 |MOVZX EAX,CX ; 16bit at offset 0x7805 63AF5CF4 |. 8945 F4 |MOV DWORD PTR SS:[EBP-C],EAX 63AF5CF7 |. B8 02000000 |MOV EAX,2 63AF5CFC |> 0FB7D8 |MOVZX EBX,AX 63AF5CFF |. 6A 18 |PUSH 18 63AF5D01 |. 03FB |ADD EDI,EBX 63AF5D03 |. E8 FC120000 |CALL <JMP.&MSVCR90.operator new> 63AF5D08 |. 8BF0 |MOV ESI,EAX 63AF5D0A |. 83C4 04 |ADD ESP,4 63AF5D0D |. 85F6 |TEST ESI,ESI 63AF5D0F |. 74 7F |JE SHORT rvrender.63AF5D90 63AF5D11 |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 63AF5D14 |. 51 |PUSH ECX 63AF5D15 |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8] 63AF5D18 |. E8 D3F2FFFF |CALL rvrender.63AF4FF0 63AF5D1D |. 85C0 |TEST EAX,EAX 63AF5D1F |. 75 0B |JNZ SHORT rvrender.63AF5D2C 63AF5D21 |. 56 |PUSH ESI 63AF5D22 |. E8 E3120000 |CALL <JMP.&MSVCR90.operator delete> 63AF5D27 |. 83C4 04 |ADD ESP,4 63AF5D2A |. 33F6 |XOR ESI,ESI 63AF5D2C |> 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] 63AF5D2F |. 8B0A |MOV ECX,DWORD PTR DS:[EDX] 63AF5D31 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX] 63AF5D33 |. 8B40 0C |MOV EAX,DWORD PTR DS:[EAX+C] 63AF5D36 |. 8D55 E0 |LEA EDX,DWORD PTR SS:[EBP-20] 63AF5D39 |. 52 |PUSH EDX 63AF5D3A |. FFD0 |CALL EAX 63AF5D3C |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX 63AF5D3F |. 85C0 |TEST EAX,EAX 63AF5D41 |. 74 4D |JE SHORT rvrender.63AF5D90 63AF5D43 |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8] 63AF5D46 |. 66:8B51 0C |MOV DX,WORD PTR DS:[ECX+C] 63AF5D4A |. 66:8956 0C |MOV WORD PTR DS:[ESI+C],DX 63AF5D4E |. 0FB755 F4 |MOVZX EDX,WORD PTR SS:[EBP-C] 63AF5D52 |. 0351 08 |ADD EDX,DWORD PTR DS:[ECX+8] 63AF5D55 |. 837D EC 00 |CMP DWORD PTR SS:[EBP-14],0 63AF5D59 |. 8956 08 |MOV DWORD PTR DS:[ESI+8],EDX 63AF5D5C |. 0FB749 0E |MOVZX ECX,WORD PTR DS:[ECX+E] 63AF5D60 |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX 63AF5D64 |. 75 0A |JNZ SHORT rvrender.63AF5D70 63AF5D66 |. 81E1 FDFF0000 |AND ECX,0FFFD 63AF5D6C |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX 63AF5D70 |> C746 14 00000000 |MOV DWORD PTR DS:[ESI+14],0 63AF5D77 |. C706 00000000 |MOV DWORD PTR DS:[ESI],0 63AF5D7D |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 63AF5D80 |. 51 |PUSH ECX ; 32bit at offset 0x7801 63AF5D81 |. 57 |PUSH EDI ; our data 63AF5D82 |. 50 |PUSH EAX ; heap buffer having the size got at 63AF5C8F 63AF5D83 |. E8 F8160000 |CALL <JMP.&MSVCR90.memcpy> ; memcpy 63AF5D88 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] 63AF5D8B |. 83C4 0C |ADD ESP,0C 63AF5D8E |. 8916 |MOV DWORD PTR DS:[ESI],EDX 63AF5D90 |> 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C] 63AF5D93 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 63AF5D96 |. 8D140B |LEA EDX,DWORD PTR DS:[EBX+ECX] 63AF5D99 |. 8B5D F0 |MOV EBX,DWORD PTR SS:[EBP-10] 63AF5D9C |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8] 63AF5D9F |. 03D0 |ADD EDX,EAX 63AF5DA1 |. 2BDA |SUB EBX,EDX 63AF5DA3 |. 56 |PUSH ESI 63AF5DA4 |. 03F8 |ADD EDI,EAX 63AF5DA6 |. 895D F0 |MOV DWORD PTR SS:[EBP-10],EBX 63AF5DA9 |. E8 D2FCFFFF |CALL rvrender.63AF5A80 63AF5DAE |. 56 |PUSH ESI 63AF5DAF |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX 63AF5DB2 |. E8 53120000 |CALL <JMP.&MSVCR90.operator delete> 63AF5DB7 |. 83C4 04 |ADD ESP,4 63AF5DBA |. C745 EC 00000000 |MOV DWORD PTR SS:[EBP-14],0 63AF5DC1 |. 85DB |TEST EBX,EBX 63AF5DC3 |.^0F85 E7FEFFFF \JNZ rvrender.63AF5CB0 63AF5DC9 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 63AF5DCC |. 5B POP EBX 63AF5DCD |. 5F POP EDI 63AF5DCE |. 5E POP ESI 63AF5DCF |. 8BE5 MOV ESP,EBP 63AF5DD1 |. 5D POP EBP 63AF5DD2 |. C2 0400 RETN 4 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/real_5.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17019.zip the amount of data to copy is the 32bit big endian value located at offset 0x7801 of real_5.ivr. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################

Products Mentioned

Configuraton 0

Realnetworks>>Realplayer >> Version To (including) 14.0.1.633

Realnetworks>>Realplayer >> Version 4

Realnetworks>>Realplayer >> Version 5

Realnetworks>>Realplayer >> Version 6

Realnetworks>>Realplayer >> Version 7

Realnetworks>>Realplayer >> Version 8

Realnetworks>>Realplayer >> Version 10.0

Realnetworks>>Realplayer >> Version 10.5

Realnetworks>>Realplayer >> Version 11.0

Realnetworks>>Realplayer >> Version 11.0.1

Realnetworks>>Realplayer >> Version 11.0.2

Realnetworks>>Realplayer >> Version 11.0.2.1744

Realnetworks>>Realplayer >> Version 11.0.2.2315

Realnetworks>>Realplayer >> Version 11.0.3

Realnetworks>>Realplayer >> Version 11.0.4

Realnetworks>>Realplayer >> Version 11.0.5

Realnetworks>>Realplayer >> Version 11.1

Realnetworks>>Realplayer >> Version 11.1.3

Realnetworks>>Realplayer >> Version 11_build_6.0.14.748

Realnetworks>>Realplayer >> Version 12.0.0.1444

Realnetworks>>Realplayer >> Version 12.0.0.1548

Realnetworks>>Realplayer >> Version 14.0.0

Realnetworks>>Realplayer >> Version 14.0.1

Realnetworks>>Realplayer >> Version 14.0.1.609

References

http://secunia.com/advisories/43847
Tags : third-party-advisory, x_refsource_SECUNIA
http://osvdb.org/71260
Tags : vdb-entry, x_refsource_OSVDB
http://www.securityfocus.com/bid/46946
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id?1025245
Tags : vdb-entry, x_refsource_SECTRACK
http://securityreason.com/securityalert/8181
Tags : third-party-advisory, x_refsource_SREASON
http://www.exploit-db.com/exploits/17019
Tags : exploit, x_refsource_EXPLOIT-DB