6th Apr 2003 [SBWID-6113]
COMMAND
RealPlayer PNG deflate heap corruption vulnerability
SYSTEMS AFFECTED
. RealOne Player v2 (Win32) [versions: 6.0.11.x,
where x = .818, .830, .841, .853]
. RealOne Player v1 (Win32) [version: 6.0.10.505]
. RealOne Player for OS X [version: 9.0.0.297, 9.0.0.288]
. RealPlayer 8/RealPlayer Plus 8 (Win32 & Mac OS 9)
[version: 6.0.9.584 (Win32 & Mac OS 9)]
. RealOne Enterprise Desktop (Win32) [version: 6.0.11.774]
PROBLEM
In Core Security Technologies [http://www.coresecurity.com] advisory
[CORE-2003-0306] :
http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10
--snip--
This vulnerability was found by Juliano Rizzo, Agustin Azubel Friedman,
Bruno Acselrad and Carlos Sarraute from Core Security Technologies
during Bugweek 2003 (March 3-7, 2003). Previous problems were found by
Drew Copley of eEye Digital Security.
We would like to thank Jeff Ayars and Haydon Boone from RealNetworks
for quickly addressing our report and coordinating the generation and
public release of patches and information regarding this vulnerability.
*Technical Description - Exploit/Concept Code:*
PNG files are compressed using the deflate algorithm. This algorithm is
described in the RFC 1951 "DEFLATE Compressed Data Format
Specification" (see [1]). The compression is performed by searching for
repetitions of the same data block. When a repetition is found a pair
of length/offset codes are inserted in the ouput string instead of the
data block. These codes indicate the distance (in bytes) of the
beginning of the repeated block respect to the current position, and
its length (in bytes).
The algorithm can work in two modes, with fixed or dynamic Huffman
trees. When fixed trees are used a fixed alphabet of 288 symbols is
used to represent literals and length codes. The RFC 1951 states:
"...Literal/length values 286-287 will never actually occur in the
compressed data, but participate in the code construction..."
The problem we found in vulnerable implementations of the algorithm is
that when one of those two codes 286-287 is found in the compressed
data, a length of 2^32 bytes is assumed.
A loop starts copying from the offset specified after the length code
in the compressed bit stream. 2^32 bytes is larger than the size of the
buffer and also beyond the program address space and larger than the
available memory, so the loop finally raises an exception when it
reaches the end of the commited program memory. It allows an attacker
to fill the program memory after the buffer with a given pattern. After
the exception is raised a free or malloc function can be abused to use
the values in the corrupted heap memory to write any 32bit value to any
address in memory. In particular we can overwrite any function pointer
(for example the unhandled exception filter) and control the program
execution flow, allowing us to execute arbitrary code and obtain (for
example) a remote command shell or a Core Impact agent with those
privileges of the user running RealPlayer.
This bug has been successfully exploited in RealOne Player 2.0 and a
Core Impact's module has been made.
SOLUTION
RealNetworks provides security updates which fix this vulnerability in
the following page:
http://service.real.com/help/faq/security/securityupdate_march2003.html
*References:*
[1] http://www.w3.org/Graphics/PNG/RFC-1951
[2] http://www.libpng.org/pub/png/pngdocs.html
[3] http://www.eeye.com/html/Research/Advisories/AD20021211.html
*About Core Security Technologies*
Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets.
Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.
To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit:
http://www.coresecurity.com/products/coreimpact