Possible New Zero-Day Exploit for Realplayer

SANS ISC: Possible New Zero-Day Exploit for Realplayer - SANS Internet Storm Center

SANS Site Network
- Current Site
- SANS Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- DFIR
- Software Security
- Government OnSite Training

SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Possible New Zero-Day Exploit for Realplayer
FrSIRT is reporting a zero day exploit against client side Realplayer and Helix Player. This exploit takes advantage of a format string error which can be exploit by using specially crafted ".rp" (relpix) or ".rt" (realtext) files. The affected versions are Helix Player 1.0.5 Gold and prior (Linux) RealPlayer 10.0.5 Gold and prior (Linux) There is no known fix at this time. http://service.real.com/help/faq/security/ has not posted information on this yet. Blake Hartstein from demarc.com posted the following to Bleeding-Snort yesterday which should provide coverage for this issue: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:" pcre:"/<image\s+[^>]handle=[^>]%[^>]*%/iG"; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; ) Stay tuned for further updates as we have them.	Lorna 165 Posts ISC Handler Sep 27th 2005
Thread locked Subscribe	Sep 27th 2005 1 decade ago

Possible New Zero-Day Exploit for Realplayer

FrSIRT is reporting a zero day exploit against client side Realplayer and Helix Player. This exploit takes advantage of a format string error which can be exploit by using specially crafted ".rp" (relpix) or ".rt" (realtext) files. The affected versions are

Helix Player 1.0.5 Gold and prior (Linux)
RealPlayer 10.0.5 Gold and prior (Linux)

There is no known fix at this time. http://service.real.com/help/faq/security/ has not posted information on this yet.

Blake Hartstein from demarc.com posted the following to Bleeding-Snort yesterday which should provide
coverage for this issue: 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit"; 
flow:established,from_server; content:"
pcre:"/<image\s+[^>]*handle=[^>]*%[^>]*%/iG"; 
reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; )

Stay tuned for further updates as we have them.

Lorna

165 Posts
ISC Handler

Sep 27th 2005

Thread locked Subscribe

Sep 27th 2005
1 decade ago