CVE-2016-9018 : Detail

CVE-2016-9018

5.5
/
Medium
Memory Corruption
1.39%V4
Local
2016-10-28
13h00 +00:00
2017-09-05
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Improper handling of a repeating VRAT chunk in qcpfformat.dll allows attackers to cause a Null pointer dereference and crash in RealNetworks RealPlayer 18.1.5.705 through a crafted .QCP media file.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-476 NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.

Metrics

Metrics Score Severity CVSS Vector Source
V3.0 5.5 MEDIUM CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

None

There is no loss of confidentiality within the impacted component.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None

There is no loss of integrity within the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 nvd@nist.gov
V2 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 40617

Publication date : 2016-10-20 22h00 +00:00
Author : Alwin Peppels
EDB Verified : Yes

Tested on: Win7 / Win10 x64 Date: October 20th 2016 Vendor homepage: http://www.real.com Software link: http://realplayer-download.real.com/free/windows/installer/stubinst/stub/rt1/T10EUDRP/RealTimes-RealPlayer.exe File version (both realplay.exe and qcpfformat.dll): 18.1.5.705 Exploit author: Alwin Peppels Found with: Peach Fuzzer Context: eax=00000002 ebx=00000000 ecx=0d4cb9a0 edx=00000000 esi=00000000 edi=046abd0c eip=534013dc esp=00d7e254 ebp=00d7e254 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 qcpfformat+0x13dc: 534013dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=?? Call stack: # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 00d7e254 53401e92 00000000 00000000 0d4cb9a0 qcpfformat+0x13dc 01 00d7e2a4 53403342 046abd0c 80004005 00000000 qcpfformat+0x1e92 02 00d7e2d8 53402d37 1d26bbf0 74617276 534018a9 qcpfformat!RMACreateInstance+0xc62 03 00d7e308 534030cb 046abd0c 00000000 74617276 qcpfformat!RMACreateInstance+0x657 04 00d7e328 533e20f0 1ee51040 00000000 00000008 qcpfformat!RMACreateInstance+0x9eb 05 00d7e348 533e1da6 00000008 00d7e370 00000005 smplfsys+0x20f0 06 00d7e374 533e3582 00d7e394 00000000 00000000 smplfsys+0x1da6 07 00d7e38c 5340349f 00000000 00000008 00000000 smplfsys+0x3582 08 00d7e3b4 533e3cd9 00d7e3d0 0d4cb9a4 0d4cb9a4 qcpfformat!RMACreateInstance+0xdbf 09 00d7e3c8 53403597 00000000 00000000 00000000 smplfsys+0x3cd9 0a 00d7e444 533e283c 1d26bbf8 0d4cb9a4 0d4cb9a0 qcpfformat!RMACreateInstance+0xeb7 0b 00d7e460 53402c51 1d26bbf0 00000005 0d4cb9a0 smplfsys+0x283c 0c 00d7e488 57a8a692 1d190950 0ce86fd8 1d26bd48 qcpfformat!RMACreateInstance+0x571 0d 00d7e4f0 57a8adfd 0d49dd78 5865cb7c 00d7e528 mametadata!SetDLLAccessPath+0x18392 0e 00d7e568 585afd7c 0d4aca0c 046a2610 5865cb7c mametadata!SetDLLAccessPath+0x18afd 0f 00d7e5ac 585af1d0 1d26c088 00d7e5fc 00000000 rpcl3260!RMAShutdown+0x2584c 10 00d7e5c0 585ae90a 00000000 1d26c088 03ecd74c rpcl3260!RMAShutdown+0x24ca0 11 00d7e5d8 57c788ba 1d26c088 00d7e5fc 03ecd74c rpcl3260!RMAShutdown+0x243da 12 00d7e608 57c38009 1d26c088 00000002 1d26c088 rpmn3260!SetDLLAccessPath+0x58b1a 13 00d7e628 585bc25e 1d26c088 1d26c088 00000000 rpmn3260!SetDLLAccessPath+0x18269 Disassembly: qcpfformat+0x13d0: 534013d0 55 push ebp 534013d1 8bec mov ebp,esp 534013d3 83794000 cmp dword ptr [ecx+40h],0 534013d7 8b5508 mov edx,dword ptr [ebp+8] 534013da 7422 je qcpfformat+0x13fe (534013fe) 534013dc 0fb64203 movzx eax,byte ptr [edx+3] 534013e0 0fb64a02 movzx ecx,byte ptr [edx+2] 534013e4 c1e008 shl eax,8 The edx register is being zeroed out by the move from ebp+8 at +13d7, causing the memory read at instruction 13dc to point to 0x00000003 In the analysis below the PoC files place in memory starts at 0b880012 Here the first VRAT tag (hex 76 72 61 74) is read in correctly the first time from 0b881044. As can be seen in the instructions above that, on the first iteration EBP is pointing at the tags but is quickly set to an address outside the file. Breakpoint 1 hit eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4 eip=54cd13d0 esp=00bce58c ebp=0b881040 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 qcpfformat+0x13d0: 54cd13d0 55 push ebp 0:000> t eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4 eip=54cd13d1 esp=00bce588 ebp=0b881040 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 qcpfformat+0x13d1: 54cd13d1 8bec mov ebp,esp 0:000> t eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4 eip=54cd13d3 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 qcpfformat+0x13d3: 54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001 0:000> t eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4 eip=54cd13d7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13d7: 54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce590=0b881044 0:000> t eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13da esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13da: 54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0] 0:000> t eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13dc esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13dc: 54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:0b881047=74 0:000> t eax=00000074 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13e0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13e0: 54cd13e0 0fb64a02 movzx ecx,byte ptr [edx+2] ds:002b:0b881046=61 0:000> t eax=00000074 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13e4 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13e4: 54cd13e4 c1e008 shl eax,8 0:000> t eax=00007400 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13e7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 qcpfformat+0x13e7: 54cd13e7 0bc1 or eax,ecx 0:000> t eax=00007461 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13e9 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13e9: 54cd13e9 0fb64a01 movzx ecx,byte ptr [edx+1] ds:002b:0b881045=72 0:000> t eax=00007461 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13ed esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13ed: 54cd13ed c1e008 shl eax,8 0:000> t eax=00746100 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13f0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 qcpfformat+0x13f0: 54cd13f0 0bc1 or eax,ecx 0:000> t eax=00746172 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13f2 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 qcpfformat+0x13f2: 54cd13f2 0fb60a movzx ecx,byte ptr [edx] ds:002b:0b881044=76 0:000> t eax=00746172 ebx=00bce5e8 ecx=00000076 edx=0b881044 esi=1c534270 edi=1ca9efb4 eip=54cd13f5 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 qcpfformat+0x13f5: 54cd13f5 c1e008 shl eax,8 So now both ESP and EBP are pointing outside the source file, causing the next iteration to read NULL into EDX, setting up the access violation: eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784 eip=54cd13d0 esp=00bce4d0 ebp=00bce51c iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 qcpfformat+0x13d0: 54cd13d0 55 push ebp 0:000> t eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784 eip=54cd13d1 esp=00bce4cc ebp=00bce51c iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 qcpfformat+0x13d1: 54cd13d1 8bec mov ebp,esp 0:000> t eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784 eip=54cd13d3 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293 qcpfformat+0x13d3: 54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001 0:000> t eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784 eip=54cd13d7 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13d7: 54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce4d4=00000000 0:000> t eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784 eip=54cd13da esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13da: 54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0] 0:000> t eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784 eip=54cd13dc esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 qcpfformat+0x13dc: 54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=?? POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40617.zip

Products Mentioned

Configuraton 0

Realnetworks>>Realplayer >> Version 18.1.5.705

References

https://www.exploit-db.com/exploits/40617/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/94239
Tags : vdb-entry, x_refsource_BID
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.