Vulnerabilities > CVE-2007-3410 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Realnetworks products

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

realnetworks

CWE-119

nessus

exploit available

NVD

Published: 2007-06-26

Updated: 2024-11-21

Summary

Stack-based buffer overflow in the SmilTimeValue::parseWallClockValue function in smlprstime.cpp in RealNetworks RealPlayer 10, 10.1, and possibly 10.5, RealOne Player, RealPlayer Enterprise, and Helix Player 10.5-GOLD and 10.0.5 through 10.0.8, allows remote attackers to execute arbitrary code via an SMIL (SMIL2) file with a long wallclock value.

Vulnerable Configurations

Part	Description	Count
Application	Realnetworks Realnetworks Realplayer 10.0 Realnetworks Realplayer 10.1 Realnetworks Realplayer 10.5 Realnetworks Realplayer Enterprise * Realnetworks Helix Player 10.5-Gold Realnetworks Helix Player 10.0.8 Realnetworks Helix Player 10.0.7 Realnetworks Helix Player 10.0.6 Realnetworks Helix Player 10.0.5 Realnetworks Realone Player *	10

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

description	RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow PoC. CVE-2007-3410. Dos exploit for windows platform
id	EDB-ID:4118
last seen	2016-01-31
modified	2007-06-27
published	2007-06-27
reporter	axis
source	https://www.exploit-db.com/download/4118/
title	RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow PoC

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2007-0841.NASL
description	An updated RealPlayer package that fixes a security flaw is now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. RealPlayer is a media player that provides media playback locally and via streaming. A buffer overflow flaw was found in the way RealPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running RealPlayer. (CVE-2007-3410) All users of RealPlayer are advised to upgrade to this updated package containing RealPlayer version 10.0.9 which is not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	40707
published	2009-08-24
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/40707
title	RHEL 3 / 4 / 5 : RealPlayer (RHSA-2007:0841)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0841. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(40707); script_version ("1.32"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-2263", "CVE-2007-2264", "CVE-2007-3410", "CVE-2007-5081"); script_xref(name:"RHSA", value:"2007:0841"); script_name(english:"RHEL 3 / 4 / 5 : RealPlayer (RHSA-2007:0841)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An updated RealPlayer package that fixes a security flaw is now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. RealPlayer is a media player that provides media playback locally and via streaming. A buffer overflow flaw was found in the way RealPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running RealPlayer. (CVE-2007-3410) All users of RealPlayer are advised to upgrade to this updated package containing RealPlayer version 10.0.9 which is not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-2263" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-2264" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-3410" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-5081" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0841" ); script_set_attribute( attribute:"solution", value:"Update the affected RealPlayer and / or realplayer packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:RealPlayer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:realplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(3\|4\|5)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0841"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", cpu:"i386", reference:"realplayer-10.0.9-0.rhel3.4")) flag++; if (rpm_check(release:"RHEL4", cpu:"i386", reference:"RealPlayer-10.0.9-2")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"RealPlayer-10.0.9-3.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "RealPlayer / realplayer"); } }

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2007-0605.NASL
description	An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	25614
published	2007-06-29
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/25614
title	CentOS 4 : HelixPlayer (CESA-2007:0605)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0605 and # CentOS Errata and Security Advisory 2007:0605 respectively. # include("compat.inc"); if (description) { script_id(25614); script_version("1.20"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2007-3410"); script_xref(name:"RHSA", value:"2007:0605"); script_name(english:"CentOS 4 : HelixPlayer (CESA-2007:0605)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue." ); # https://lists.centos.org/pipermail/centos-announce/2007-June/013994.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a57bb364" ); # https://lists.centos.org/pipermail/centos-announce/2007-June/013995.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?81f4287d" ); script_set_attribute( attribute:"solution", value:"Update the affected helixplayer package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:HelixPlayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HelixPlayer"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2007-0605.NASL
description	From Red Hat Security Advisory 2007:0605 : An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	67538
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67538
title	Oracle Linux 4 : HelixPlayer (ELSA-2007-0605)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0605 and # Oracle Linux Security Advisory ELSA-2007-0605 respectively. # include("compat.inc"); if (description) { script_id(67538); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2007-3410"); script_xref(name:"RHSA", value:"2007:0605"); script_name(english:"Oracle Linux 4 : HelixPlayer (ELSA-2007-0605)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2007:0605 : An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2007-June/000254.html" ); script_set_attribute( attribute:"solution", value:"Update the affected helixplayer package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:HelixPlayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL4", cpu:"i386", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HelixPlayer"); }

NASL family	Windows
NASL id	REALPLAYER_6_0_12_1578.NASL
description	According to its build number, the installed version of RealPlayer on the remote Windows host contains a stack-based buffer overflow that can be triggered by a specially crafted SMIL file, perhaps accessed over the web using the CLSID
last seen	2020-06-01
modified	2020-06-02
plugin id	25573
published	2007-06-27
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25573
title	RealPlayer for Windows < Build 6.0.12.1578 Multiple Vulnerabilities

NASL family	Windows
NASL id	REALPLAYER_6_0_12_1662.NASL
description	According to its build number, the installed version of RealPlayer / RealOne Player / RealPlayer Enterprise on the remote Windows host suffers from several buffer overflows involving specially crafted media files (eg,
last seen	2020-06-01
modified	2020-06-02
plugin id	27591
published	2007-10-30
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27591
title	RealPlayer for Windows < Build 6.0.12.1662 Multiple Vulnerabilities

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_F762CCBBBAED11DCA302000102CC8983.NASL
description	Secunia reports : Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user
last seen	2020-06-01
modified	2020-06-02
plugin id	29866
published	2008-01-07
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29866
title	FreeBSD : linux-realplayer -- multiple vulnerabilities (f762ccbb-baed-11dc-a302-000102cc8983)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200709-05.NASL
description	The remote host is affected by the vulnerability described in GLSA-200709-05 (RealPlayer: Buffer overflow) A stack-based buffer overflow vulnerability has been reported in the SmilTimeValue::parseWallClockValue() function in smlprstime.cpp when handling HH:mm:ss.f type time formats. Impact : By enticing a user to open a specially crafted SMIL (Synchronized Multimedia Integration Language) file, an attacker could be able to execute arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	26095
published	2007-09-24
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/26095
title	GLSA-200709-05 : RealPlayer: Buffer overflow

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2007-0605.NASL
description	An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	25624
published	2007-06-29
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/25624
title	RHEL 4 : HelixPlayer (RHSA-2007:0605)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20070627_HELIXPLAYER_ON_SL4_X.NASL
description	A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410)
last seen	2020-06-01
modified	2020-06-02
plugin id	60220
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60220
title	Scientific Linux Security Update : HelixPlayer on SL4.x i386/x86_64

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-0756.NASL
description	A buffer overflow flaw was discovered in the way RealPlayer and HelixPlayer handle the wallclock variable in Synchronized Multimedia Integration Language (SMIL) files. More information regarding this flaw can be found here: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=5 47 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	27679
published	2007-11-06
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27679
title	Fedora 7 : HelixPlayer-1.0.7-6.fc7 (2007-0756)

Oval

accepted

2010-09-06T04:04:17.299-04:00

class

vulnerability

contributors

name	Aharon Chernin
organization	SCAP.com, LLC

definition_extensions

comment	The operating system installed on the system is Red Hat Enterprise Linux 4
oval	oval:org.mitre.oval:def:11831

description

family

unix

oval:org.mitre.oval:def:10554

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	245836
title	CVE-2007-3410 RealPlayer/HelixPlayer buffer overflow

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment HelixPlayer is earlier than 1:1.0.6-0.EL4.2
oval oval:com.redhat.rhsa:tst:20070605001
comment HelixPlayer is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20070605002
AND
comment HelixPlayer is earlier than 1:1.0.6-0.EL4.2.0.2
oval oval:com.redhat.rhsa:tst:20070605003
comment HelixPlayer is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20070605002

rhsa

id	RHSA-2007:0605
released	2008-01-07
severity	Critical
title	RHSA-2007:0605: HelixPlayer security update (Critical)

rhsa
id RHSA-2007:0841

rpms

HelixPlayer-1:1.0.6-0.EL4.2
HelixPlayer-1:1.0.6-0.EL4.2.0.2
HelixPlayer-debuginfo-1:1.0.6-0.EL4.2
HelixPlayer-debuginfo-1:1.0.6-0.EL4.2.0.2
RealPlayer-0:10.0.9-3.el5
RealPlayer-debuginfo-0:10.0.9-3.el5
realplayer-0:10.0.9-0.rhel3.4

Saint

bid	24658
description	RealPlayer SMIL file wallclock buffer overflow
id	misc_realplayer
osvdb	37374
title	realplayer_smil_wallclock
type	client

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 24658 CVE(CAN) ID: CVE-2007-3410 RealPlayer是一款非常流行的媒体播放器，支持多种格式；HelixPlayer是其开源版本。 RealPlayer/HelixPlayer播放器的墙壁时钟在处理日期格式时存在缓冲区漏洞，远程攻击者可能利用此漏洞控制用户机器。墙壁时钟（wallclock）功能没有正确地处理HH:mm:ss.f时间格式： 924 HX_RESULT 925 SmilTimeValue::parseWallClockValue(REF(const char) pCh) 926 { ... 957 char buf[10]; / Flawfinder: ignore / ... 962 while (pCh) 963 { ... 972 else if (isspace(pCh) \|\| pCh == '+' \|\| pCh == '-' \|\| pCh == 'Z') 973 { 974 // this will find the last +, - or Z... which is what we want. 975 pTimeZone = pCh; 976 } ... 982 ++pCh; 983 } ... 1101 if (pTimePos) 1102 { 1103 //HH:MM... .... 1133 if ((pos-1) == ':') 1134 { .... 1148 if ((pos-1) == '.') 1149 { 1150 // find end. 1151 UINT32 len = 0; 1152 if (pTimeZone) 1153 { 1154 len = pTimeZone - pos; 1155 } 1156 else 1157 { 1158 len = end - pos; 1159 } 1160 strncpy(buf, pos, len); /* Flawfinder: ignore / 在957行栈缓冲区声明为10字节，该行的标注导致FlawFinder程序忽略这个缓冲区。 962行开始的循环通过一个函数参数运行，该函数用于寻找表示时间格式中不同部分的字符。如果遇到了空格、“+”、“-”、或“Z”字符，就会记录下位置以备之后使用。如果找到了时间且包含有冒号和逗号，就会到达有漏洞的代码。 1154或1158行计算将要拷贝到栈缓冲区的数据长度，具体取决于是否存在时区。这两处计算都没有考虑buf缓冲区的常数长度，因此在1160行可能出现栈溢出。此外，该行不安全地使用strncpy()也被标记了忽略FlawFinder的标注。如果用户受骗使用有漏洞的播放器加载了同步多媒体集成语言（SMIL）文件的话，就可能触发这个溢出，导致执行任意指令。 Real Networks RealPlayer 10.5-GOLD Real Networks Helix Player 10.5-GOLD 临时解决方法：如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：为CLSID CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA设置kill-bit。厂商补丁： Real Networks ------------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href="http://www.real.com" target="_blank">http://www.real.com</a>
id	SSV:1930
last seen	2017-11-19
modified	2007-06-28
published	2007-06-28
reporter	Root
title	RealPlayer/HelixPlayer ParseWallClockValue函数栈缓冲区溢出漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Nessus

Oval

Redhat

Saint

Seebug

References