RealPlayer 15.0.6.14 suffers from Arbitrary Code Execution

2012.10.19
Credit: coolkaveh
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title : RealPlayer 15.0.6.14 suffers from Arbitrary Code Execution Version : 15.0.6.14 Date : 2012-10-18 Vendor : http://www.real.com/ Impact : High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : XP SP3 ENG Author : coolkaveh ##################################################################### Executable search path is: ModLoad: 00400000 00407000 rphelperapp.exe ModLoad: 7c900000 7c9b2000 ntdll.dll ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll ModLoad: 61740000 617a3000 C:\Program Files\Real\RealPlayer\plugins\vidsite.dll ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 78520000 785c3000 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\MSVCR90.dll (1a2c.1bb0): Break instruction exception - code 80000003 (first chance) ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll ModLoad: 604d0000 6057b000 C:\Program Files\Real\RealPlayer\codecs\colorcvt.dll ModLoad: 7c340000 7c396000 C:\WINDOWS\system32\MSVCR71.dll ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll ModLoad: 7c9c0000 7d1d8000 C:\WINDOWS\system32\shell32.dll ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll ModLoad: 76990000 769b5000 C:\WINDOWS\system32\ntshrui.dll ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL ModLoad: 5b860000 5b8b6000 C:\WINDOWS\system32\NETAPI32.dll ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll ModLoad: 73760000 737ab000 C:\WINDOWS\system32\DDRAW.DLL ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv ModLoad: 62380000 62398000 C:\Program Files\Real\RealPlayer\common\twebbrowse.dll ModLoad: 3e1c0000 3ec5d000 C:\WINDOWS\system32\ieframe.dll ModLoad: 64650000 646ba000 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll ModLoad: 63600000 6360b000 C:\Program Files\Real\RealPlayer\mpaplugins\mpazip.dll ModLoad: 30000000 30023000 C:\Program Files\Real\RealPlayer\dunzip32.dll ModLoad: 71e50000 71e65000 C:\WINDOWS\system32\msapsspc.dll ModLoad: 78080000 78091000 C:\WINDOWS\system32\MSVCRT40.dll ModLoad: 767f0000 76819000 C:\WINDOWS\system32\schannel.dll ModLoad: 59c00000 59c07000 C:\WINDOWS\system32\credssp.dll ModLoad: 75b00000 75b15000 C:\WINDOWS\system32\digest.dll ModLoad: 747b0000 747f7000 C:\WINDOWS\system32\msnsspc.dll ModLoad: 78080000 78091000 C:\WINDOWS\system32\MSVCRT40.dll ModLoad: 59c00000 59c07000 C:\WINDOWS\system32\credssp.dll ModLoad: 767f0000 76819000 C:\WINDOWS\system32\schannel.dll ModLoad: 77c70000 77c95000 C:\WINDOWS\system32\msv1_0.dll ModLoad: 76790000 7679c000 C:\WINDOWS\system32\cryptdll.dll ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll ModLoad: 7e720000 7e7d0000 C:\WINDOWS\system32\SXS.DLL ModLoad: 3cea0000 3d45e000 C:\WINDOWS\system32\mshtml.dll ModLoad: 042b0000 042d9000 C:\WINDOWS\system32\msls31.dll ModLoad: 71800000 71888000 C:\WINDOWS\system32\SHDOCLC.DLL ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\MLANG.dll ModLoad: 73760000 737ab000 C:\WINDOWS\system32\DDRAW.DLL ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 746f0000 7471a000 C:\WINDOWS\system32\msimtf.dll ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv ModLoad: 63600000 6360b000 C:\Program Files\Real\RealPlayer\mpaplugins\mpazip.dll ModLoad: 30000000 30023000 C:\Program Files\Real\RealPlayer\dunzip32.dll ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll ModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll ModLoad: 614b0000 614c9000 C:\Program Files\Real\RealPlayer\hxaudiodevicehook.dll ModLoad: 614b0000 614c9000 C:\Program Files\Real\RealPlayer\hxaudiodevicehook.dll (1f48.1ff4): C++ EH exception - code e06d7363 (first chance) (1f48.1ff4): C++ EH exception - code e06d7363 (first chance) (1f48.1ff4): C++ EH exception - code e06d7363 (first chance) (1f48.1ff4): C++ EH exception - code e06d7363 (first chance) (1f48.1ff4): C++ EH exception - code e06d7363 (first chance) (1f48.1ff4): C++ EH exception - code e06d7363 (first chance) (1f48.1ff4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02ba99b0 ebx=244fe2d0 ecx=0012f5ac edx=0012f5bc esi=00000000 edi=00000004 eip=614394df esp=3d891890 ebp=0012f578 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Real\RealPlayer\codecs\dmp4.dll - dmp4!GetGUID+0x1836f: 614394df 8944241c mov dword ptr [esp+1Ch],eax ss:0023:3d8918ac=???????? 0:000> r;!exploitable -v;q eax=02ba99b0 ebx=244fe2d0 ecx=0012f5ac edx=0012f5bc esi=00000000 edi=00000004 eip=614394df esp=3d891890 ebp=0012f578 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250206 dmp4!GetGUID+0x1836f: 614394df 8944241c mov dword ptr [esp+1Ch],eax ss:0023:3d8918ac=???????? HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - Exception Faulting Address: 0x3d8918ac First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x247c7f22.0x247c7f63 Stack Trace: dmp4!GetGUID+0x1836f Instruction Address: 0x00000000614394df Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dmp4!GetGUID+0x000000000001836f (Hash=0x247c7f22.0x247c7f63) User mode write access violations that are not near NULL are exploitable. ##################################################################### Proof of concept included Cheers

References:

http://seclists.org/fulldisclosure/2012/Oct/att-123/POC_rar.bin


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top