Realplayer ActiveX Playlist Buffer Overflow

Categoria: Alertas

quinta, 25 outubro 2007 14:59

Sistemas Operativos Implicados:	Windows XP/NT/2K/Me/98/95
Aplicações Implicadas:	Indefinido

RealNetworks RealPlayerclient para Microsoft Windows contém uma vulnerabilidade stack buffer overlow no parâmetro playlist passado para o cliente através de um controlo ActiveX. Esta vulnerabilidade poderá permitir a um atacante remoto não autenticado a execução de código arbitrário recorrendo a uma página web ou uma mensagem de correio electrónico HTML especialmente manipulada.

I. Description

RealNetworks RealPlayer is a multimedia application that allows users to view local and remote audio and video content. RealPlayer for Microsoft Windows includes the IERPCtl ActiveX control, which can be used with Internet Explorer to import a local file into a playlist. RealPlayer does not adequately validate the playlist parameter passed from the ActiveX control, resulting in a stack buffer overflow vulnerability. The IERPCtl ActiveX control is present in RealOne Player and later versions.

RealNetworks has released a patch for this vulnerability as described in RealPlayer Security Vulnerability. There are public reports that this vulnerability is being actively exploited.

This vulnerability can be exploited using the IERPCtl ActiveX control, which effectively means that only Windows Internet Explorer users are affected. The ActiveX control was introduced in RealOne Player, so Windows versions of RealPlayer 8 and earlier are not affected. Macintosh and Linux versions of RealPlayer are not affected.

II. Impact

By convincing a user to view a specially crafted HTML document or HTML mail message, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. Note that the RealPlayer software does not need to be running for this vulnerability to be exploited.

For more information, please see US-CERT Vulnerability Note VU#871673.



III. Solution

Upgrade and apply a patch

See RealPlayer Security Vulnerability for information about upgrading and patching RealPlayer. RealPlayer 10.5 and RealPlayer 11 beta users should install the patch specified in the RealNetworks document. RealOne Player, RealOne Player v2, and RealPlayer 10 users should upgrade to RealPlayer 10.5 or RealPlayer 11 beta and install the patch.

Disable the IERPCtl ActiveX control

Disable the IERPCtl ActiveX control by setting the kill bit for the following CLSID:

{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved with a .reg file and imported into the Windows registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
"Compatibility Flags"=dword:00000400

Disable ActiveX

Disabling ActiveX in the Internet Zone (or any zone used by an attacker) reduces the chances of exploitation of this and other vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in Securing Your Web Browser.

Appendix A. Vendor Information
RealNetworks

For information about updating RealPlayer, see RealPlayer Security Vulnerability and Security Update for Real Player.

Appendix B. References

• Customer Support - Real Security Updates - <http://service.real.com/realplayer/security/191007_player/en/>

• Security Update for RealPlayer - <http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>

• US-CERT Vulnerability Note VU#871673 - <http://www.kb.cert.org/vuls/id/871673>

• Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

IV. References

US-CERT:
http://www.us-cert.gov/cas/techalerts/TA07-297A.html