Vulnerabilities > CVE-2006-0323 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a size value that is less than the actual size, or (2) other unspecified manipulations.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities. CVE-2006-0323. Dos exploits for multiple platform id EDB-ID:27460 last seen 2016-02-03 modified 2006-03-23 published 2006-03-23 reporter Federico L. Bossi Bonin source https://www.exploit-db.com/download/27460/ title RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities description RealPlayer. CVE-2006-0323. Dos exploits for multiple platform id EDB-ID:1622 last seen 2016-01-31 modified 2006-03-28 published 2006-03-28 reporter Federico L. Bossi Bonin source https://www.exploit-db.com/download/1622/ title RealPlayer <= 10.5 6.0.12.1040-1348 - SWF Buffer Overflow PoC
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_018.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:018 (RealPlayer). This update fixes the following security problems in Realplayer: - Specially crafted SWF files could cause a buffer overflow and crash RealPlayer (CVE-2006-0323). - Specially crafted web sites could cause heap overflow and lead to executing arbitrary code (CVE-2005-2922). This was already fixed with the previously released 1.0.6 version, but not announced on request of Real. The advisory for these problems is on this page at Real: http://service.real.com/realplayer/security/03162006_player/en/ SUSE Linux 9.2 up to 10.0 and Novell Linux Desktop 9 are affected by this problem and receive fixed packages. If you are still using Realplayer on SUSE Linux 9.1 or SUSE Linux Desktop 1, we again wish to remind you that the Real player on these products cannot be updated and recommend to deinstall it. last seen 2019-10-28 modified 2006-03-27 plugin id 21150 published 2006-03-27 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21150 title SUSE-SA:2006:018: RealPlayer NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_25858C37BDAB11DAB7D400123FFE8333.NASL description Secunia Advisories Reports : A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user last seen 2020-06-01 modified 2020-06-02 plugin id 21402 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21402 title FreeBSD : linux-realplayer -- buffer overrun (25858c37-bdab-11da-b7d4-00123ffe8333) NASL family Windows NASL id RHAPSODY_3_1_0_270.NASL description According to its version number, the installed version of Rhapsody on the remote host suffers from a buffer overflow involving SWF files. To exploit this issue, a remote attacker needs to convince a user to attempt to play a maliciously crafted SWF file using the affected application. last seen 2020-06-01 modified 2020-06-02 plugin id 21141 published 2006-03-24 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21141 title Rhapsody SWF File Handling Buffer Overflow NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200603-24.NASL description The remote host is affected by the vulnerability described in GLSA-200603-24 (RealPlayer: Buffer overflow vulnerability) RealPlayer is vulnerable to a buffer overflow when processing malicious SWF files. Impact : By enticing a user to open a specially crafted SWF file an attacker could execute arbitrary code with the permissions of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 21148 published 2006-03-27 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21148 title GLSA-200603-24 : RealPlayer: Buffer overflow vulnerability NASL family Windows NASL id REALPLAYER_6_0_12_1483.NASL description According to its build number, the installed version of RealPlayer / RealOne Player / RealPlayer Enterprise on the remote Windows host suffers from one or more buffer overflows involving maliciously- crafted SWF and MBC files as well as web pages. In addition, it also may be affected by a local privilege escalation issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21140 published 2006-03-24 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21140 title RealPlayer for Windows < Build 6.0.12.1483 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0257.NASL description An updated RealPlayer package that fixes a buffer overflow bug is now available for Red Hat Enterprise Linux Extras 3 and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. RealPlayer is a media player that provides media playback locally and via streaming. A buffer overflow bug was discovered in the way RealPlayer processes Flash Media (.swf) files. It is possible for a malformed Flash Media file to execute arbitrary code as the user running RealPlayer. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0323 to this issue. All users of RealPlayer are advised to upgrade to this updated package, which contains RealPlayer version 10.0.7 and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 63831 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63831 title RHEL 3 / 4 : RealPlayer (RHSA-2006:0257)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/45093/realplayer-swf-PoC.pl.txt |
| id | PACKETSTORM:45093 |
| last seen | 2016-12-05 |
| published | 2006-04-01 |
| reporter | Federico L. Bossi Bonin |
| source | https://packetstormsecurity.com/files/45093/realplayer-swf-PoC.pl.txt.html |
| title | realplayer-swf-PoC.pl.txt |
Redhat
| advisories |
|
Saint
| bid | 17202 |
| description | RealPlayer invalid chunk header heap overflow |
| id | misc_realplayer |
| osvdb | 24062 |
| title | realplayer_chunk_header |
| type | client |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:15954 last seen 2017-11-19 modified 2006-03-28 published 2006-03-28 reporter Root source https://www.seebug.org/vuldb/ssvid-15954 title RealPlayer <= 10.5 (6.0.12.1040-1348) SWF Buffer Overflow PoC bulletinFamily exploit description No description provided by source. id SSV:81069 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-81069 title RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities bulletinFamily exploit description No description provided by source. id SSV:7738 last seen 2017-11-19 modified 2007-12-26 published 2007-12-26 reporter Root source https://www.seebug.org/vuldb/ssvid-7738 title RealPlayer 10.5 (6.0.12.1040-1348) SWF Buffer Overflow PoC bulletinFamily exploit description No description provided by source. id SSV:63442 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-63442 title RealPlayer <= 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow PoC
References
- http://secunia.com/advisories/19358
- http://secunia.com/advisories/19362
- http://secunia.com/advisories/19365
- http://secunia.com/advisories/19390
- http://securityreason.com/securityalert/690
- http://securitytracker.com/id?1015806
- http://www.gentoo.org/security/en/glsa/glsa-200603-24.xml
- http://www.kb.cert.org/vuls/id/231028
- http://www.novell.com/linux/security/advisories/2006_18_realplayer.html
- http://www.redhat.com/support/errata/RHSA-2006-0257.html
- http://www.securityfocus.com/archive/1/430621/100/0/threaded
- http://www.securityfocus.com/bid/17202
- http://www.service.real.com/realplayer/security/03162006_player/en/
- http://www.vupen.com/english/advisories/2006/1057
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25408