RealPlayer PNG Deflate Heap Corruption Vulnerability

Advisory ID Internal
CORE-2003-0306

Advisory Information:

Advisory ID: CORE-2003-0306
Bugtraq ID: 7177
CVE Name: CAN-2003-0141
CERT: VU#705761
Title: RealPlayer PNG deflate heap corruption vulnerability.
Class: Boundary Error Condition
Remotely Exploitable: Yes
Locally Exploitable: Yes

Vendors Contacted:

RealNetworks

  • Core Notification: 2003-03-07
  • Notification aknowledged by RealNetworks: 2003-03-11
  • Fix provided by RealNetworks and tested by Core: 2003-03-13
  • Release schedule of updatesestablished: 2003-03-19
  • Updates for Consumer Products released: 2003-03-27

Release Mode: COORDINATED RELEASE

Vulnerability Description:

RealPlayer is a popular program provided by RealNetworks, Inc. It is used to play live video and audio over the net. This program is able to play a great set of media file formats, between them is the PNG graphic file format. A vulnerability has been found in the way that RealPlayer decompress those files.

If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the user running RealPlayer.

Vulnerable Packages:

  • RealOne Player v2 (Win32) [versions: 6.0.11.x, where x = .818, .830, .841, .853]
  • RealOne Player v1 (Win32) [version: 6.0.10.505]
  • RealOne Player for OS X [version: 9.0.0.297, 9.0.0.288]
  • RealPlayer 8/RealPlayer Plus 8 (Win32 & Mac OS 9) [version: 6.0.9.584 (Win32 & Mac OS 9)]
  • RealOne Enterprise Desktop (Win32) [version: 6.0.11.774]

Solution/Vendor Information/Workaround:

RealNetworks provides security updates which fix this vulnerability in the following page: http://service.real.com/help/faq/security/securityupdate_march2003.html

Credits:

This vulnerability was found by Juliano Rizzo, Agustin Azubel Friedman, Bruno Acselrad and Carlos Sarraute from Core Security during Bugweek 2003 (March 3-7, 2003). Previous problems were found by Drew Copley of eEye Digital Security.

We would like to thank Jeff Ayars and Haydon Boone from RealNetworks for quickly addressing our report and coordinating the generation and public release of patches and information regarding this vulnerability.

Technical Description - Exploit/Concept Code:

PNG files are compressed using the deflate algorithm. This algorithm is described in the RFC 1951 "DEFLATE Compressed Data Format Specification" (see [1]). The compression is performed by searching for repetitions of the same data block. When a repetition is found a pair of length/offset codes are inserted in the ouput string instead of the data block. These codes indicate the distance (in bytes) of the beginning of the repeated block respect to the current position, and its length (in bytes). The algorithm can work in two modes, with fixed or dynamic Huffman trees. When fixed trees are used a fixed alphabet of 288 symbols is used to represent literals and length codes. The RFC 1951 states:

"...Literal/length values 286-287 will never actually occur in the compressed data, but participate in the code construction..."

The problem we found in vulnerable implementations of the algorithm is that when one of those two codes 286-287 is found in the compressed data, a length of 2^32 bytes is assumed.

A loop starts copying from the offset specified after the length code in the compressed bit stream. 2^32 bytes is larger than the size of the buffer and also beyond the program address space and larger than the available memory, so the loop finally raises an exception when it reaches the end of the commited program memory. It allows an attacker to fill the program memory after the buffer with a given pattern. After the exception is raised a free or malloc function can be abused to use the values in the corrupted heap memory to write any 32bit value to any address in memory. In particular we can overwrite any function pointer (for example the unhandled exception filter) and control the program execution flow, allowing us to execute arbitrary code and obtain (for example) a remote command shell or a Core Impact agent with those privileges of the user running RealPlayer.

This bug has been successfully exploited in RealOne Player 2.0 and a CORE IMPACT's module has been made.

References:

[1] http://www.w3.org/Graphics/PNG/RFC-1951
[2] http://www.libpng.org/pub/png/pngdocs.html
[3] http://www.eeye.com/html/Research/Advisories/AD20021211.html

About CoreLabs

CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.  

About Core Security, A Fortra Company

Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].

Disclaimer

The contents of this advisory are copyright (c) 2003 Core Security and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: RealOne-advisory.txt,v 1.6 2003/03/27 19:30:06 carlos Exp $