CVE-2005-3677
CVSS7.5
发布时间 :2005-11-18 18:03:00
修订时间 :2016-10-17 23:36:44
NMCS    

[原文]Buffer overflow in RealNetworks RealPlayer 10 and 10.5 allows remote attackers to execute arbitrary code via a crafted image in a RealPlayer Skin (RJS) file. NOTE: due to the lack of details, it is unclear how this is different than CVE-2005-2629 and CVE-2005-2630, but the vendor advisory implies that it is different.


[CNNVD]RealNetworks RealPlayer未明的形态异常图像外观文件缓冲区溢出漏洞(CNNVD-200511-245)

        RealNetworks RealPlayer是非常流行的媒体播放器,适用于多种操作系统,包括Microsoft Windows,Linux和Mac OS。
        RealNetworks RealPlayer 10和10.5中的缓冲区溢出,可让远程攻击者通过RealPlayer外观(RJS)文件中的特制图像执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:realplayer:10.5_6.0.12.1056
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1053
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1040
cpe:/a:realnetworks:realplayer:10.0RealNetworks RealPlayer 10.0
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1069
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1059
cpe:/a:realnetworks:realplayer:10.5_6.0.12.1235

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3677
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3677
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-245
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=113181464921104&w=2
(UNKNOWN)  BUGTRAQ  20051111 High Risk Flaw in RealPlayer
http://service.real.com/help/faq/security/051110_player/EN/
(UNKNOWN)  CONFIRM  http://service.real.com/help/faq/security/051110_player/EN/
http://www.securityfocus.com/bid/15398/
(UNKNOWN)  BID  15398

- 漏洞信息

RealNetworks RealPlayer未明的形态异常图像外观文件缓冲区溢出漏洞
高危 缓冲区溢出
2005-11-18 00:00:00 2006-01-04 00:00:00
远程  
        RealNetworks RealPlayer是非常流行的媒体播放器,适用于多种操作系统,包括Microsoft Windows,Linux和Mac OS。
        RealNetworks RealPlayer 10和10.5中的缓冲区溢出,可让远程攻击者通过RealPlayer外观(RJS)文件中的特制图像执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://service.real.com/realplayer/security/

- 漏洞信息

RealNetworks RealPlayer Unspecified Malformed Image Skin File Buffer Overflow Vulnerability
Boundary Condition Error 15398
Yes No
2005-11-12 12:00:00 2005-11-12 12:00:00
Discovery is credited to John Heasman of NGSSoftware.

- 受影响的程序版本

Real Networks RealPlayer 10.5 v6.0.12.1235
Real Networks RealPlayer 10.5 v6.0.12.1069
Real Networks RealPlayer 10.5 v6.0.12.1059
Real Networks RealPlayer 10.5 v6.0.12.1056
Real Networks RealPlayer 10.5 v6.0.12.1053
Real Networks RealPlayer 10.5 v6.0.12.1040
Real Networks RealPlayer 10.0
+ S.u.S.E. cvsup-16.1h-43.i586.rpm
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2

- 漏洞讨论

RealNetworks RealPlayer is prone to an unspecified vulnerability that may let remote attackers execute arbitrary code.

This issue may be triggered by a malformed image in a skin file. The cause of the issue is reportedly a stack-based buffer overflow. It is possible to exploit this issue by enticing a victim user to open a malicious skin file containing a malformed image.

This affects some RealPlayer 10/10.5 releases on Windows platforms.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released fixes to address this issue. The patches are available through the 'Check for Update' functionality of the software under the 'Tools' menu. Fixes are available from the following location as well:

http://service.real.com/realplayer/security/

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站