Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 17019
Publication date : 2011-03-20 23h00 +00:00
Author : Luigi Auriemma
EDB Verified : No
#######################################################################
Luigi Auriemma
Application: RealPlayer
http://www.real.com
Versions: <= 14.0.1.633
Platforms: Windows, Macintosh OSX, Linux, Symbian, Palm
Bug: heap overflow
Exploitation: remote
Date: 21 Mar 2011 (found 17 Feb 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
RealPlayer is an ugly media player developed by RealNetwork and used
mainly for its browser's plugin supporting the proprietary file formats
of its developer.
#######################################################################
======
2) Bug
======
Classical heap overflow during the handling of the IVR files caused by
the allocation of a certain amount of data (frame size) decided by the
attacker and the copying of another arbitrary amount on the same
buffer.
From rvrender.dll (base address 63AE0000):
63AF5C70 /$ 55 PUSH EBP
63AF5C71 |. 8BEC MOV EBP,ESP
63AF5C73 |. 83EC 20 SUB ESP,20
63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
63AF5C79 |. 56 PUSH ESI
63AF5C7A |. 57 PUSH EDI
63AF5C7B |. 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4]
63AF5C7E |. 8A07 MOV AL,BYTE PTR DS:[EDI] ; byte at offset 0x7800 of the PoC
63AF5C80 |. 24 E0 AND AL,0E0
63AF5C82 |. 33F6 XOR ESI,ESI
63AF5C84 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
63AF5C87 |. 3C E0 CMP AL,0E0 ; (byte & 0xe0) == 0xe0
63AF5C89 |. 0F85 46010000 JNZ rvrender.63AF5DD5
63AF5C8F |. 8B0A MOV ECX,DWORD PTR DS:[EDX] ; 32bit value at offset 0x77f8 (allocation)
63AF5C91 |. 47 INC EDI
63AF5C92 |. 83E9 01 SUB ECX,1
63AF5C95 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
63AF5C98 |. 8975 E8 MOV DWORD PTR SS:[EBP-18],ESI
63AF5C9B |. C745 EC 01000000 MOV DWORD PTR SS:[EBP-14],1
63AF5CA2 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
63AF5CA5 |. 0F84 38010000 JE rvrender.63AF5DE3
63AF5CAB |. 53 PUSH EBX
63AF5CAC |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
63AF5CB0 |> 57 /PUSH EDI
63AF5CB1 |. 8D4D FC |LEA ECX,DWORD PTR SS:[EBP-4]
63AF5CB4 |. 51 |PUSH ECX
63AF5CB5 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18]
63AF5CB8 |. 52 |PUSH EDX
63AF5CB9 |. E8 92010000 |CALL rvrender.63AF5E50
63AF5CBE |. 03F8 |ADD EDI,EAX
63AF5CC0 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
63AF5CC3 |. 66:0FB607 |MOVZX AX,BYTE PTR DS:[EDI]
63AF5CC7 |. 0FB7C8 |MOVZX ECX,AX
63AF5CCA |. 83C4 0C |ADD ESP,0C
63AF5CCD |. 84C9 |TEST CL,CL
63AF5CCF |. 79 0D |JNS SHORT rvrender.63AF5CDE
63AF5CD1 |. 83E1 7F |AND ECX,7F
63AF5CD4 |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX
63AF5CD7 |. B8 01000000 |MOV EAX,1
63AF5CDC |. EB 1E |JMP SHORT rvrender.63AF5CFC
63AF5CDE |> 66:0FB64F 01 |MOVZX CX,BYTE PTR DS:[EDI+1]
63AF5CE3 |. C1E0 08 |SHL EAX,8
63AF5CE6 |. 66:0BC8 |OR CX,AX
63AF5CE9 |. BA FF7F0000 |MOV EDX,7FFF
63AF5CEE |. 66:23CA |AND CX,DX
63AF5CF1 |. 0FB7C1 |MOVZX EAX,CX ; 16bit at offset 0x7805
63AF5CF4 |. 8945 F4 |MOV DWORD PTR SS:[EBP-C],EAX
63AF5CF7 |. B8 02000000 |MOV EAX,2
63AF5CFC |> 0FB7D8 |MOVZX EBX,AX
63AF5CFF |. 6A 18 |PUSH 18
63AF5D01 |. 03FB |ADD EDI,EBX
63AF5D03 |. E8 FC120000 |CALL <JMP.&MSVCR90.operator new>
63AF5D08 |. 8BF0 |MOV ESI,EAX
63AF5D0A |. 83C4 04 |ADD ESP,4
63AF5D0D |. 85F6 |TEST ESI,ESI
63AF5D0F |. 74 7F |JE SHORT rvrender.63AF5D90
63AF5D11 |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
63AF5D14 |. 51 |PUSH ECX
63AF5D15 |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
63AF5D18 |. E8 D3F2FFFF |CALL rvrender.63AF4FF0
63AF5D1D |. 85C0 |TEST EAX,EAX
63AF5D1F |. 75 0B |JNZ SHORT rvrender.63AF5D2C
63AF5D21 |. 56 |PUSH ESI
63AF5D22 |. E8 E3120000 |CALL <JMP.&MSVCR90.operator delete>
63AF5D27 |. 83C4 04 |ADD ESP,4
63AF5D2A |. 33F6 |XOR ESI,ESI
63AF5D2C |> 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
63AF5D2F |. 8B0A |MOV ECX,DWORD PTR DS:[EDX]
63AF5D31 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
63AF5D33 |. 8B40 0C |MOV EAX,DWORD PTR DS:[EAX+C]
63AF5D36 |. 8D55 E0 |LEA EDX,DWORD PTR SS:[EBP-20]
63AF5D39 |. 52 |PUSH EDX
63AF5D3A |. FFD0 |CALL EAX
63AF5D3C |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX
63AF5D3F |. 85C0 |TEST EAX,EAX
63AF5D41 |. 74 4D |JE SHORT rvrender.63AF5D90
63AF5D43 |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8]
63AF5D46 |. 66:8B51 0C |MOV DX,WORD PTR DS:[ECX+C]
63AF5D4A |. 66:8956 0C |MOV WORD PTR DS:[ESI+C],DX
63AF5D4E |. 0FB755 F4 |MOVZX EDX,WORD PTR SS:[EBP-C]
63AF5D52 |. 0351 08 |ADD EDX,DWORD PTR DS:[ECX+8]
63AF5D55 |. 837D EC 00 |CMP DWORD PTR SS:[EBP-14],0
63AF5D59 |. 8956 08 |MOV DWORD PTR DS:[ESI+8],EDX
63AF5D5C |. 0FB749 0E |MOVZX ECX,WORD PTR DS:[ECX+E]
63AF5D60 |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX
63AF5D64 |. 75 0A |JNZ SHORT rvrender.63AF5D70
63AF5D66 |. 81E1 FDFF0000 |AND ECX,0FFFD
63AF5D6C |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX
63AF5D70 |> C746 14 00000000 |MOV DWORD PTR DS:[ESI+14],0
63AF5D77 |. C706 00000000 |MOV DWORD PTR DS:[ESI],0
63AF5D7D |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
63AF5D80 |. 51 |PUSH ECX ; 32bit at offset 0x7801
63AF5D81 |. 57 |PUSH EDI ; our data
63AF5D82 |. 50 |PUSH EAX ; heap buffer having the size got at 63AF5C8F
63AF5D83 |. E8 F8160000 |CALL <JMP.&MSVCR90.memcpy> ; memcpy
63AF5D88 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
63AF5D8B |. 83C4 0C |ADD ESP,0C
63AF5D8E |. 8916 |MOV DWORD PTR DS:[ESI],EDX
63AF5D90 |> 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C]
63AF5D93 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
63AF5D96 |. 8D140B |LEA EDX,DWORD PTR DS:[EBX+ECX]
63AF5D99 |. 8B5D F0 |MOV EBX,DWORD PTR SS:[EBP-10]
63AF5D9C |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
63AF5D9F |. 03D0 |ADD EDX,EAX
63AF5DA1 |. 2BDA |SUB EBX,EDX
63AF5DA3 |. 56 |PUSH ESI
63AF5DA4 |. 03F8 |ADD EDI,EAX
63AF5DA6 |. 895D F0 |MOV DWORD PTR SS:[EBP-10],EBX
63AF5DA9 |. E8 D2FCFFFF |CALL rvrender.63AF5A80
63AF5DAE |. 56 |PUSH ESI
63AF5DAF |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
63AF5DB2 |. E8 53120000 |CALL <JMP.&MSVCR90.operator delete>
63AF5DB7 |. 83C4 04 |ADD ESP,4
63AF5DBA |. C745 EC 00000000 |MOV DWORD PTR SS:[EBP-14],0
63AF5DC1 |. 85DB |TEST EBX,EBX
63AF5DC3 |.^0F85 E7FEFFFF \JNZ rvrender.63AF5CB0
63AF5DC9 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
63AF5DCC |. 5B POP EBX
63AF5DCD |. 5F POP EDI
63AF5DCE |. 5E POP ESI
63AF5DCF |. 8BE5 MOV ESP,EBP
63AF5DD1 |. 5D POP EBP
63AF5DD2 |. C2 0400 RETN 4
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/real_5.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17019.zip
the amount of data to copy is the 32bit big endian value located at
offset 0x7801 of real_5.ivr.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Products Mentioned
Configuraton 0
Realnetworks>>Realplayer >> Version To (including) 14.0.1.633
Realnetworks>>Realplayer >> Version 4
Realnetworks>>Realplayer >> Version 5
Realnetworks>>Realplayer >> Version 6
Realnetworks>>Realplayer >> Version 7
Realnetworks>>Realplayer >> Version 8
Realnetworks>>Realplayer >> Version 10.0
Realnetworks>>Realplayer >> Version 10.5
Realnetworks>>Realplayer >> Version 11.0
Realnetworks>>Realplayer >> Version 11.0.1
Realnetworks>>Realplayer >> Version 11.0.2
Realnetworks>>Realplayer >> Version 11.0.2.1744
Realnetworks>>Realplayer >> Version 11.0.2.2315
Realnetworks>>Realplayer >> Version 11.0.3
Realnetworks>>Realplayer >> Version 11.0.4
Realnetworks>>Realplayer >> Version 11.0.5
Realnetworks>>Realplayer >> Version 11.1
Realnetworks>>Realplayer >> Version 11.1.3
Realnetworks>>Realplayer >> Version 11_build_6.0.14.748
Realnetworks>>Realplayer >> Version 12.0.0.1444
Realnetworks>>Realplayer >> Version 12.0.0.1548
Realnetworks>>Realplayer >> Version 14.0.0
Realnetworks>>Realplayer >> Version 14.0.1
Realnetworks>>Realplayer >> Version 14.0.1.609
References