Search:

June 2005

AusCERT Security Advisory: AA-2005.010 - RealPlayer, RealOne Player, Rhapsody and Helix Player multiple vulnerabilities

ID: 00516
Ref: 476/2005
Date: 24 June 2005:14:31:40
Version: 1

Title: AusCERT Security Advisory: AA-2005.010 - RealPlayer, RealOne Player, Rhapsody and Helix Player multiple vulnerabilities
Abstract:
Vendors affected: AusCERT
Operating systems affected: AusCERT
Applications affected: AusCERT

Title
=====

AusCERT Security Advisory: AA-2005.010 - RealPlayer, RealOne Player, Rhapsody
and Helix Player multiple vulnerabilities

Detail
======

Four vulnerabilities have been reported in RealPlayer, RealOne Player,
Rhapsody and Helix Player that potentially allow remote attackers to
execute arbitrary code with minimal user interaction. Different
operating systems and player versions are affected by each
vulnerability,

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2005.010

RealPlayer, RealOne Player, Rhapsody and Helix Player
multiple vulnerabilities
24 June 2005
- - ---------------------------------------------------------------------------

AusCERT Advisory Summary
------------------------

Product: RealPlayer 10.5 and prior
RealOne Player v2 and prior
RealPlayer Enterprise
Rhapsody 3 and prior
Helix Player 10.0.4 and prior
Operating System: Windows
Mac OS
Linux variants
Impact: Execute Arbitrary Code/Commands
Overwrite Arbitrary Files
Access: Remote/Unauthenticated
CVE Names: CAN-2005-1277

OVERVIEW:

Four vulnerabilities have been reported in RealPlayer, RealOne Player,
Rhapsody and Helix Player that potentially allow remote attackers to
execute arbitrary code with minimal user interaction. Different
operating systems and player versions are affected by each
vulnerability, as described in DETAILS below.

IMPACT:

Vulnerabilities 1, 2 and 3 each allow a remote attacker to execute
arbitrary code with the privileges of the user running the player.
Vulnerability 2 may also be used to overwrite arbitrary files.

The impact of vulnerability 4 has not been disclosed, but it may
potentially allow execution of arbitrary code in the "Local Machine"
zone, with the privileges of the user running the player.

Note that in a default install the user's web browser will not prompt
the user before opening RealMedia files, so the vulnerabilities may
be exploited with minimal user interaction.

MITIGATION:

RealNetworks has released updates or new versions for each of the
affected products. These are available at the URLs below.

Windows RealPlayer and RealOne Player:
http://service.real.com/help/faq/security/050623_player/EN/player.rnx

RealPlayer Enterprise:
http://service.real.com/help/faq/security/security062305.html

Mac RealPlayer:
http://www.real.com/upgrade/mac_upgrade.html

Linux RealPlayer:
http://www.real.com/linux

Helix Player:
http://player.helixcommunity.org/downloads/

DETAILS:

1. A specially crafted RealMedia file can be used by a remote attacker
to cause a heap overflow in the player, allowing execution of
arbitrary code.[2] CVE number CAN-2005-1277 has been assigned to
this vulnerability. Affected versions are as follows:

Windows:
RealPlayer versions 8, 10, 10.5 build 6.0.12.1069 and prior
RealOnePlayer v2 and prior
RealPlayer Enterprise

Mac OS:
RealPlayer 10 build 10.0.0.331 and prior
RealOne Player

Linux:
RealPlayer 10 build 10.0.4 and prior
Helix Player 10.0.4 and prior

2. A remote attacker can supply a specially crafted MP3 file allowing
execution of an ActiveX control on the user's machine, or the
overwriting of arbitrary files. Affected versions:

Windows:
RealPlayer versions 10, 10.5 build 6.0.12.1069 and prior
RealOnePlayer v2 and prior

3. A malicious AVI file can be used by a remote attacker to cause a
buffer overflow in vidplin.dll, allowing execution of arbitrary
code.[3] Affected versions are as follows:

Windows:
RealPlayer versions 8, 10, 10.5 build 6.0.12.1069 and prior
RealOnePlayer v2 and prior
RealPlayer Enterprise
Rhapsody 3 build 0.1006 and prior

4. On Windows systems, depending on Internet Explorer configuration,
a malicious website may be able to cause an HTML file to be created
on the user's system then reference this local HTML in an RM file.
The default configuration of recent IE versions is not vulnerable
to this issue.

Windows:
RealPlayer versions 8, 10, 10.5 build 6.0.12.1069 and prior
RealOnePlayer v2 and prior
RealPlayer Enterprise

REFERENCES:

[1] RealNetworks security advisory
http://service.real.com/help/faq/security/050623_player/EN/

[2] iDEFENSE advisory for vulnerability 1
http://www.idefense.com/application/poi/display?id=250

[3] eEye advisory for vulnerability 3
http://www.eeye.com/html/research/advisories/AD200505.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
iQCVAwUBQrtlXih9+71yA2DNAQJtqgP9GfTxYExPH9hkXiE2DcmRhoTPI9D2rYBW
O23Uv7iZUFXOki3SY/qND/nIyQkp8Cu7I+5pyniVmTnkwp7EcQ72d8XmM3hXQTpY
TyYpFB1rkWD6/PktCXg8IUo/rbTwcnNvByOvm7+DWen6DGeWeAxR3RNLH/Bh2vjI
BL2Fsq7ygWw=
=N3hl
- -----END PGP SIGNATURE-----