Operating System:

[WIN][UNIX/Linux]

Published:

23 March 2012

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2012.0312 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0312
      A number of vulnerabilities have been identified in RealPlayer
                               23 March 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           RealPlayer
Publisher:         Zero Day Initiative
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0927 CVE-2012-0924 

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-12-048/
   http://www.zerodayinitiative.com/advisories/ZDI-12-049/

Comment: This bulletin contains two (2) Zero Day Initiative security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

RealNetworks RealPlayer VIDOBJ_START_CODE Remote Code Execution Vulnerability
ZDI-12-048: March 22nd, 2012

CVE ID

    CVE-2012-0924 

CVSS Score

    9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) 

Affected Vendors

    RealNetworks

Affected Products

    RealPlayer

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of RealNetworks RealPlayer. User interaction is 
required in that a target must visit a malicious page or open a malicious 
file.

The flaw exists within dmp4.dll, specifically the decoding of an MPEG stream. 
When encountering a VIDOBJ_START_CODE object the process inproperly validates 
the size of the destination buffer used for rendering. The contents of a 
decoded frame are copied to this region which can result in heap corruption if 
the decoded frame size exceeds the size of this region. A remote attacker can 
exploit this vulnerability to execute arbitrary code under the context of the 
process.

Vendor Response

RealNetworks has issued an update to correct this vulnerability. More details 
can be found at:

    http://service.real.com/realplayer/security/02062012_player/en/

Disclosure Timeline

    2011-10-21 - Vulnerability reported to vendor
    2012-03-22 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

    Luigi Auriemma

- -------------------------------------------------------------------------------

RealNetworks RealPlayer RealAudio coded_frame_size Remote Code Execution
ZDI-12-049: March 22nd, 2012

CVE ID

    CVE-2012-0927 

CVSS Score

    9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) 

Affected Vendors

    RealNetworks

Affected Products

    RealPlayer

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of RealNetworks RealPlayer. User interaction is 
required in that a target must visit a malicious page or open a malicious file.

The flaw exists within cook.dll, specifically the handling of a RealAudio 2.0 
file. When parsing the RA2 header a coded_frame_sz element is used to calculate 
the size for an allocation. This value is not properly verified before unpacking 
stream data into this new location. A remote attacker can exploit this 
vulnerability to execute arbitrary code under the context of the process.

Vendor Response

RealNetworks has issued an update to correct this vulnerability. More details 
can be found at:

    http://service.real.com/realplayer/security/02062012_player/en/

Disclosure Timeline

    2011-10-21 - Vulnerability reported to vendor
    2012-03-22 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

    Luigi Auriemma

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT2vjVe4yVqjM2NGpAQJvSw/+OzxmZZX6WT3vucmZbVmXcAsoXna+4pnl
b2W0/gHXXax03+7GzKOXKPk1V/xCQHQ9UVUzYiF25Id+U4Tr7b+C3gZ01GQfbN6R
F2Urp32bw4Yt0ihecAh/6t3F93skrAe7P0gZo/K3KnIgqSR4FHRIoXI+eDZdCBUu
RWVOETuYLd42lkSaxwTN+X6R/oTe7VK+EMCpAwdSpLIbFQ0EBVKb17y49+VO0V76
3ykj7ktiQmAut74Omi1cSI/CLEYNxmM63PqEbtFn7po0JKbqq1lcN1ozeAk1uu2C
L9v1YIXQHh5vLz51lYL1T0Au5xP7s4wElXa6MBhyBSF0y+RZd8f5DqeT3SkwHbne
/q5vZtVGwk6p+CNMHgaAYzyEote5Zk5EloQZoXZb6O3AvPz9TgB9Z5CsqR4i1CAe
iM795RajJXxgPZ96gjjDt7PZAdP/iiCbUapMtvwyXFYaBpqWjCVACFItut9koI1/
UFZZT0r5c5vBTsDQHQgbwGK7a+5wl4u6w8Yt6aGl4jQA0mg5GP6omUe/oybS04LD
uQiKGE+PrdMP0tawLrvAdB5pkaxBwBT0P0O/RPRXzvknMqjoDZUXd1IIorgly1LE
IAAi5KSNJXzm0AI2a4nLCk9e1/luaUiiTwBcZBo6G/Gu3pOBB6MGbPXGv43TEuJY
xj065IS3/QM=
=v/Zs
-----END PGP SIGNATURE-----