RealPlayer Buffer Overflow

 
RealPlayer Denial of Service
Reported April 4, 2000 by
Adam Muntner
VERSIONS EFFECTED
  • RealPlayer v6 and v7

DESCRIPTION

There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when more than 299 characters are entered as a "location" to play. 

Using the HTML "EMBED" tag to embed RealPlayer in a webpage and setting the "AUTOSTART=true" flag, RealPlayer can forced to start automatically, thereby triggering the overflow condition.

While I have not taken the time to find the proper entrance point in PNEN3260.DLL (which is what crashes, for example, in RealPlay 6 Basic), it appears that arbitrary code could be exploited simply by visiting a webpage with the malicious embedded RealPlayer tags, provided of course you"ve left your browser unprotected by allowing ActiveX, Java, and other dangerous mobile code to execute.

DEFENSE

Load the patched RealPlayer once it is released. IUn the mean time, seriously consider disabling ActiveX in your browsers.

VENDOR RESPONSE

A response from Real was unknown at the time of this writing.

CREDITS
Reported by
Adam Muntner
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish