6th Apr 2003 [SBWID-6113]
COMMAND
	RealPlayer PNG deflate heap corruption vulnerability
SYSTEMS AFFECTED
	  . RealOne Player v2 (Win32) [versions: 6.0.11.x,
	    where x = .818, .830, .841, .853]
	  . RealOne Player v1 (Win32) [version: 6.0.10.505]
	  . RealOne Player for OS X   [version: 9.0.0.297, 9.0.0.288]
	  . RealPlayer 8/RealPlayer Plus 8 (Win32 & Mac OS 9)
	    [version: 6.0.9.584 (Win32 & Mac OS 9)]
	  . RealOne Enterprise Desktop (Win32) [version: 6.0.11.774]
PROBLEM
	In Core  Security  Technologies  [http://www.coresecurity.com]  advisory
	[CORE-2003-0306] :
	
	 http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10
	
	--snip--
	This vulnerability was found by Juliano Rizzo, Agustin Azubel  Friedman,
	Bruno Acselrad and  Carlos  Sarraute  from  Core  Security  Technologies
	during Bugweek 2003 (March 3-7, 2003). Previous problems were  found  by
	Drew Copley of eEye Digital Security.
	We would like to thank Jeff Ayars and  Haydon  Boone  from  RealNetworks
	for quickly addressing our report and coordinating  the  generation  and
	public release of patches and information regarding this vulnerability.
	*Technical Description - Exploit/Concept Code:*
	PNG files are compressed using the deflate algorithm. This algorithm  is
	described  in   the   RFC   1951   "DEFLATE   Compressed   Data   Format
	Specification" (see [1]). The compression is performed by searching  for
	repetitions of the same data block. When a repetition is  found  a  pair
	of length/offset codes are inserted in the ouput string instead  of  the
	data block.  These  codes  indicate  the  distance  (in  bytes)  of  the
	beginning of the repeated block respect to  the  current  position,  and
	its length (in bytes).
	The algorithm can work in two  modes,  with  fixed  or  dynamic  Huffman
	trees. When fixed trees are used a fixed  alphabet  of  288  symbols  is
	used to represent literals and length codes. The RFC 1951 states:
	"...Literal/length values 286-287  will  never  actually  occur  in  the
	compressed data, but participate in the code construction..."
	The problem we found in vulnerable implementations of the  algorithm  is
	that when one of those two codes 286-287  is  found  in  the  compressed
	data, a length of 2^32 bytes is assumed.
	A loop starts copying from the offset specified after  the  length  code
	in the compressed bit stream. 2^32 bytes is larger than the size of  the
	buffer and also beyond the program address space  and  larger  than  the
	available memory, so the  loop  finally  raises  an  exception  when  it
	reaches the end of the commited program memory. It  allows  an  attacker
	to fill the program memory after the buffer with a given pattern.  After
	the exception is raised a free or malloc function can be abused  to  use
	the values in the corrupted heap memory to write any 32bit value to  any
	address in memory. In particular we can overwrite any  function  pointer
	(for example the unhandled exception filter)  and  control  the  program
	execution flow, allowing us to execute arbitrary code  and  obtain  (for
	example) a remote command shell  or  a  Core  Impact  agent  with  those
	privileges of the user running RealPlayer.
	This bug has been successfully exploited in RealOne  Player  2.0  and  a
	Core Impact's module has been made.
SOLUTION
	RealNetworks provides security updates which fix this  vulnerability  in
	the following page:
	
	  http://service.real.com/help/faq/security/securityupdate_march2003.html
	
	
	*References:*
	  [1] http://www.w3.org/Graphics/PNG/RFC-1951
	  [2] http://www.libpng.org/pub/png/pngdocs.html
	  [3] http://www.eeye.com/html/Research/Advisories/AD20021211.html
	*About Core Security Technologies*
	  Core Security Technologies develops strategic security solutions for
	  Fortune 1000 corporations, government agencies and military
	  organizations. The company offers information security software and
	  services designed to assess risk and protect and manage information
	  assets.
	  Headquartered in Boston, MA, Core Security Technologies can be reached
	  at 617-399-6980 or on the Web at http://www.coresecurity.com.
	  To learn more about CORE IMPACT, the first comprehensive penetration
	  testing framework, visit:
	  http://www.coresecurity.com/products/coreimpact