High Risk Vulnerability in Real Player (ID3 tags)
October 30th, 2007=======
Summary
=======
Name: Heap overflow in RealPlayer ID3 tag parsing code
Release Date: 29 October 2007
Reference: NGS00432
Discover: John Heasman
Vendor: RealNetworks
Systems Affected: Several builds of RealPlayer 10.5,
All builds of RealPlayer 10.
For additional affected versions, see the URL below.
Risk: High
Status: Published
========
TimeLine
========
Discovered: 1 August 2006
Released: 1 August 2006
Approved: 1 August 2006
Reported: 1 August 2006
Fixed: 25 October 2007
Published: 29 October 2007
===========
Description
===========
There is a heap overflow in the Realplayer code that parses ID3 tags in
MP3 files.
Impact: attackers could execute code of their choice on susceptible
systems if a user were induced to open a malicious MP3 file.
=================
Technical Details
=================
The problem stems from the parsing of a Lyrics3 v2.00 tag. The size of
the tag is calculated by reading 5 ASCII characters and calling
pncrt.atoi. A buffer is then allocated on the heap of size tag length +
1. Since atoi parses a signed integer, supplying -1, results in a zero
length allocation into which data is copied.
This can be exploited to overwrite a function pointer leading to the
execution of arbitrary attacker-supplied code in the context of the user
under which RealPlayer is running.
===============
Fix Information
===============
This issue has now been resolved. Steps detailing how to update RealPlayer may be obtained
from:
http://service.real.com/realplayer/security/10252007_player/en/
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
