[ale] Possible zero-day exploit (RealPlayer)

Michael H. Warfield mhw at wittsend.com
Tue Sep 27 12:25:07 EDT 2005 

On Tue, 2005-09-27 at 11:50 -0400, Stephen Cristol wrote:
> This is everything I know on the subject; I'm just passing along news.

	It's not exactly a "zero day" since it involves some user interaction
(like downloading the friggen file) but, yes, stupid human tricks are in
plentyful supply...

	IAC...  Confirmed.

	http://www.frsirt.com/exploits/20050926.helix4real.c.php


	Commentary contained in the advisory along with the code:

> To exploit this remotly, a user just needs to place the created file on a web site and provide
> a link so users can click the file, launching RealPlayer and exploiting the vulnerability.
> 
> Real have been duely informed about this issue and are fixing. Sadly though, it seems someone
> is trying to pinch my research, as such I have been forced to release this advisory sooner than
> hoped. Until Real get a new release out, do not play untrusted media with RealPlayer or HelixPlayer.
> Sorry Real.com!
> 
> Moral of the story, don't talk about personal research on IRC. Thank you plagiarizers.

	You basically have to click on an infected URL.

	Mike

> S
> 
>  From the SANS website (http://isc.sans.org/diary.php?storyid=707):
> 
> > Possible New Zero-Day Exploit for Realplayer
> >  
> > Published: 2005-09-27, Last Updated: 2005-09-27 04:54:47 UTC
> > FrSIRT is reporting a zero day exploit against client side Realplayer 
> > and Helix Player.  This exploit takes advantage of a format string 
> > error which can be exploit by using specially crafted ".rp" (relpix) 
> > or ".rt" (realtext) files.  The affected versions are
> >
> >  Helix Player 1.0.5 Gold and prior (Linux)
> >  RealPlayer 10.0.5 Gold and prior (Linux)
> >
> >  There is no known fix at this time.  
> > http://service.real.com/help/faq/security/ has not posted information 
> > on this yet.  Stay tuned for further updates as we have them.
> 
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list