CVE-2005-2629
CVSS5.1
发布时间 :2005-11-18 18:03:00
修订时间 :2016-10-17 23:29:03
NMCOPS    

[原文]Integer overflow in RealNetworks RealPlayer 8, 10, and 10.5, RealOne Player 1 and 2, and Helix Player 10.0.0 allows remote attackers to execute arbitrary code via an .rm movie file with a large value in the length field of the first data packet, which leads to a stack-based buffer overflow, a different vulnerability than CVE-2004-1481.


[CNNVD]RealNetworks RealOne Player/RealPlayer RM文件远程栈溢出漏洞(CNNVD-200511-243)

        RealNetworks RealPlayer是非常流行的媒体播放器,适用于多种操作系统,包括Microsoft Windows,Linux和Mac OS。
        RealNetworks RealPlayer和RealOne Player中存在远程栈溢出漏洞,成功利用这个漏洞的攻击者可以在目标系统上执行任意代码。攻击者可以创建特制的.rm电影文件,将[data packet + 1]的长度域设置为0x80 - 0xFF,这样就可以触发栈溢出。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:helix_player:1.0::linux
cpe:/a:realnetworks:realplayer:::enterprise
cpe:/a:realnetworks:realplayer:8.0::win32
cpe:/a:realnetworks:realplayer:10.5RealNetworks RealPlayer 10.5
cpe:/a:realnetworks:realplayer:10.0::linux
cpe:/a:realnetworks:helix_player:1.0.2::linux
cpe:/a:realnetworks:realone_player:1.0
cpe:/a:realnetworks:realplayer:10.0RealNetworks RealPlayer 10.0
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1069
cpe:/a:realnetworks:helix_player:1.0.1::linux
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1059
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1235
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1056
cpe:/a:realnetworks:helix_player:1.0.5::linux
cpe:/a:realnetworks:realone_player:2.0
cpe:/a:realnetworks:helix_player:1.0.4::linux
cpe:/a:realnetworks:helix_player:1.0.3::linux
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1053
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1040
cpe:/a:realnetworks:realplayer:10.0::mac_os_x

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9550Integer overflow in RealNetworks RealPlayer 8, 10, and 10.5, RealOne Player 1 and 2, and Helix Player 10.0.0 allows remote attackers to exec...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2629
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2629
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-243
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=113166476423021&w=2
(UNKNOWN)  EEYE  EEYEB20050510
http://securityreason.com/securityalert/169
(UNKNOWN)  SREASON  169
http://securitytracker.com/id?1015184
(UNKNOWN)  SECTRACK  1015184
http://securitytracker.com/id?1015185
(UNKNOWN)  SECTRACK  1015185
http://securitytracker.com/id?1015186
(UNKNOWN)  SECTRACK  1015186
http://service.real.com/help/faq/security/051110_player/EN/
(PATCH)  CONFIRM  http://service.real.com/help/faq/security/051110_player/EN/
http://www.debian.org/security/2005/dsa-915
(VENDOR_ADVISORY)  DEBIAN  DSA-915
http://www.eeye.com/html/research/advisories/AD20051110a.html
(VENDOR_ADVISORY)  EEYE  AD20051110a
http://www.securityfocus.com/bid/15381/
(UNKNOWN)  BID  15381
http://xforce.iss.net/xforce/xfdb/23024
(UNKNOWN)  XF  realplayer-rm-datapacket-bo(23024)

- 漏洞信息

RealNetworks RealOne Player/RealPlayer RM文件远程栈溢出漏洞
中危 缓冲区溢出
2005-11-18 00:00:00 2006-01-05 00:00:00
远程  
        RealNetworks RealPlayer是非常流行的媒体播放器,适用于多种操作系统,包括Microsoft Windows,Linux和Mac OS。
        RealNetworks RealPlayer和RealOne Player中存在远程栈溢出漏洞,成功利用这个漏洞的攻击者可以在目标系统上执行任意代码。攻击者可以创建特制的.rm电影文件,将[data packet + 1]的长度域设置为0x80 - 0xFF,这样就可以触发栈溢出。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://service.real.com/realplayer/security/

- 漏洞信息 (F42040)

Debian Linux Security Advisory 915-1 (PacketStormID:F42040)
2005-12-03 00:00:00
Debian  security.debian.org
advisory,remote,overflow,arbitrary
linux,debian
CVE-2005-2629
[点击下载]

Debian Security Advisory DSA 913-1 - An integer overflow has been discovered in helix-player, the helix audio and video player. This flaw could allow a remote attacker to run arbitrary code on a victims computer by supplying a specially crafted network resource.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 915-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
December 2nd, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : helix-player
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2005-2629
BugTraq ID     : 15381

An integer overflow has been discovered in helix-player, the helix
audio and video player.  This flaw could allow a remote attacker to
run arbitrary code on a victims computer by supplying a specially
crafted network resource.

This vulnerability is fixed by version 1.0.6-1 in unstable.
Helix-player is not currently in the testing distribution.

The old stable distribution (woody) does not contain a helix-player
package.

For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-1sarge2.

For the unstable distribution (sid) these problems have been fixed in
version 1.0.6-1.

We recommend that you upgrade your helix-player package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2.dsc
      Size/MD5 checksum:      908 5abe49b8d746b78b1f70016382d44a35
    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2.diff.gz
      Size/MD5 checksum:     9113 b7103af4ca93cb52cd548a4f7da43c3b
    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4.orig.tar.gz
      Size/MD5 checksum: 18044552 a277710be35426b317869503a4ad36d7

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2_i386.deb
      Size/MD5 checksum:  4289142 afe49d505b51edefe6b66e92720e9a62

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge2_powerpc.deb
      Size/MD5 checksum:  4415648 9a9ad7733abed7ffcd6c69ce366d576c


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDj+sxW5ql+IAeqTIRAjVHAJ974CUfmj+F9Acw124mv/KrKpkcLACfcgHJ
ldeYb42HgSrGdj/KtTkdKsw=
=zqfg
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F41489)

EEYEB-20050510-2.txt (PacketStormID:F41489)
2005-11-12 00:00:00
Karl Lynn  eeye.com
advisory,remote,arbitrary,code execution
linux,windows
CVE-2005-2629
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a critical vulnerability in RealPlayer. The vulnerability allows a remote attacker to reliably overwrite stack memory with arbitrary data and execute arbitrary code in the context of the user who executed the player. This specific flaw exists in the first data packet contained in a Real Media file. By specially crafting a malformed .rm movie file, a direct stack overwrite is triggered, and reliable code execution is then possible. Systems Affected include Windows: RealPlayer 10.5 (6.0.12.1040-1235), RealPlayer 10, RealOne Player v2, RealOne Player v1, RealPlayer 8, RealPlayer Enterprise, Mac: RealPlayer 10, Linux: RealPlayer 10 (10.0.0 - 5), Helix Player (10.0.0 - 5).

RealPlayer Data Packet Stack Overflow

Release Date:
November 10, 2005

Date Reported:
May 28, 2005

Severity:
High (Remote Code Execution)

Vendor:
RealNetworks

Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040-1235)
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
 
Mac:
RealPlayer 10
 
Linux:
RealPlayer 10 (10.0.0 - 5)
Helix Player (10.0.0 - 5)

Overview:
eEye Digital Security has discovered a critical vulnerability in
RealPlayer. The vulnerability allows a remote attacker to reliably
overwrite stack memory with arbitrary data and execute arbitrary code in
the context of the user who executed the player.

This specific flaw exists in the first data packet contained in a Real
Media file. By specially crafting a malformed .rm movie file, a direct
stack overwrite is triggered, and reliable code execution is then
possible.

Technical Details:
The vulnerability is triggered by setting the application specific
length field of the [data packet + 1] to 0x80 - 0xFF this will cause a
stack overflow.
The value is sign-extended and passed as the length to memcpy.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink End Point Protection proactively protects against this
vulnerability

Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar or from
http://service.real.com/realplayer/security/.

Credit:
Karl Lynn

Related Links:
This advisory has been assigned the following ID numbers;

EEYEB-20050510
OSVDB ID: 18822
CVE ID: CAN-2005-2629

Greetings:
Brett Moore, Mark Dowd, Paul Gese @ RealNetworks, Mike Schiffman, AJREZ,
Luke, Derek "TEX" Soeder, Andre Audits, "The Claw", and Dug Song. 

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
    

- 漏洞信息

20773
RealPlayer .rm First Data Packet Processing Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2005-11-10 2005-05-28
Unknow 2005-11-10

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

RealNetworks RealOne Player/RealPlayer RM File Remote Stack Based Buffer Overflow Vulnerability
Boundary Condition Error 15381
Yes No
2005-11-10 12:00:00 2009-07-12 05:56:00
Discovery is credited to Karl Lynn.

- 受影响的程序版本

Red Hat Fedora Core3
Real Networks RealPlayer For Unix 10.0.3
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2
Real Networks RealPlayer Enterprise 1.6
Real Networks RealPlayer Enterprise 1.5
Real Networks RealPlayer Enterprise 1.2
Real Networks RealPlayer Enterprise 1.1
Real Networks RealPlayer Enterprise
Real Networks RealPlayer 10 for Mac OS
Real Networks RealPlayer 10 for Linux
Real Networks RealPlayer 10.5 v6.0.12.1235
Real Networks RealPlayer 10.5 v6.0.12.1069
Real Networks RealPlayer 10.5 v6.0.12.1059
Real Networks RealPlayer 10.5 v6.0.12.1056
Real Networks RealPlayer 10.5 v6.0.12.1053
Real Networks RealPlayer 10.5 v6.0.12.1040
Real Networks RealPlayer 10.5
Real Networks RealPlayer 10.0
+ S.u.S.E. cvsup-16.1h-43.i586.rpm
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2
Real Networks RealPlayer 8.0 Win32
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98 SP1
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Real Networks RealOne Player for OSX 9.0 .297
Real Networks RealOne Player for OSX 9.0 .288
Real Networks RealOne Player 6.0.11 .872
Real Networks RealOne Player 6.0.11 .868
Real Networks RealOne Player 6.0.11 .853
Real Networks RealOne Player 6.0.11 .841
Real Networks RealOne Player 6.0.11 .840
Real Networks RealOne Player 6.0.11 .830
Real Networks RealOne Player 6.0.11 .818
Real Networks RealOne Player 2.0
Real Networks RealOne Player 1.0
Real Networks Helix Player for Linux 1.0.5
+ Gentoo Linux
Real Networks Helix Player for Linux 1.0.4
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Red Hat Enterprise Linux AS 4
+ Red Hat Fedora Core3
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
Real Networks Helix Player for Linux 1.0.3
+ Gentoo Linux
+ Red Hat Fedora Core3
Real Networks Helix Player for Linux 1.0.2
+ Red Hat Enterprise Linux AS 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
Real Networks Helix Player for Linux 1.0.1
Real Networks Helix Player for Linux 1.0
Real Networks RealPlayer 10 for Mac OS 10.0 .0.331
Real Networks RealPlayer 10.5 v6.0.12.1059

- 不受影响的程序版本

Real Networks RealPlayer 10 for Mac OS 10.0 .0.331
Real Networks RealPlayer 10.5 v6.0.12.1059

- 漏洞讨论

RealNetworks RealPlayer and RealOne Player are reported prone to a remote stack-based buffer-overflow vulnerability. The applications fail to perform boundary checks when parsing RM (Real Media) files. A remote attacker may execute arbitrary code on a vulnerable computer to gain unauthorized access.

This vulnerability is reported to occur in RealNetworks products for Microsoft Windows, Linux, and Apple Mac platforms.

- 漏洞利用


Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案


The vendor has released an advisory and updates dealing with this issue.

Please see the referenced advisories for further information.


Real Networks Helix Player for Linux 1.0

Real Networks Helix Player for Linux 1.0.4

Real Networks RealPlayer For Unix 10.0.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站