Vulnerabilities > CVE-2007-3410 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the SmilTimeValue::parseWallClockValue function in smlprstime.cpp in RealNetworks RealPlayer 10, 10.1, and possibly 10.5, RealOne Player, RealPlayer Enterprise, and Helix Player 10.5-GOLD and 10.0.5 through 10.0.8, allows remote attackers to execute arbitrary code via an SMIL (SMIL2) file with a long wallclock value.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow PoC. CVE-2007-3410. Dos exploit for windows platform |
| id | EDB-ID:4118 |
| last seen | 2016-01-31 |
| modified | 2007-06-27 |
| published | 2007-06-27 |
| reporter | axis |
| source | https://www.exploit-db.com/download/4118/ |
| title | RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow PoC |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0841.NASL description An updated RealPlayer package that fixes a security flaw is now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. RealPlayer is a media player that provides media playback locally and via streaming. A buffer overflow flaw was found in the way RealPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running RealPlayer. (CVE-2007-3410) All users of RealPlayer are advised to upgrade to this updated package containing RealPlayer version 10.0.9 which is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 40707 published 2009-08-24 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40707 title RHEL 3 / 4 / 5 : RealPlayer (RHSA-2007:0841) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0841. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(40707); script_version ("1.32"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-2263", "CVE-2007-2264", "CVE-2007-3410", "CVE-2007-5081"); script_xref(name:"RHSA", value:"2007:0841"); script_name(english:"RHEL 3 / 4 / 5 : RealPlayer (RHSA-2007:0841)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An updated RealPlayer package that fixes a security flaw is now available for Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. RealPlayer is a media player that provides media playback locally and via streaming. A buffer overflow flaw was found in the way RealPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running RealPlayer. (CVE-2007-3410) All users of RealPlayer are advised to upgrade to this updated package containing RealPlayer version 10.0.9 which is not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-2263" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-2264" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-3410" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-5081" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0841" ); script_set_attribute( attribute:"solution", value:"Update the affected RealPlayer and / or realplayer packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:RealPlayer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:realplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0841"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", cpu:"i386", reference:"realplayer-10.0.9-0.rhel3.4")) flag++; if (rpm_check(release:"RHEL4", cpu:"i386", reference:"RealPlayer-10.0.9-2")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"RealPlayer-10.0.9-3.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "RealPlayer / realplayer"); } }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0605.NASL description An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25614 published 2007-06-29 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25614 title CentOS 4 : HelixPlayer (CESA-2007:0605) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0605 and # CentOS Errata and Security Advisory 2007:0605 respectively. # include("compat.inc"); if (description) { script_id(25614); script_version("1.20"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2007-3410"); script_xref(name:"RHSA", value:"2007:0605"); script_name(english:"CentOS 4 : HelixPlayer (CESA-2007:0605)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue." ); # https://lists.centos.org/pipermail/centos-announce/2007-June/013994.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a57bb364" ); # https://lists.centos.org/pipermail/centos-announce/2007-June/013995.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?81f4287d" ); script_set_attribute( attribute:"solution", value:"Update the affected helixplayer package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:HelixPlayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HelixPlayer"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0605.NASL description From Red Hat Security Advisory 2007:0605 : An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67538 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67538 title Oracle Linux 4 : HelixPlayer (ELSA-2007-0605) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0605 and # Oracle Linux Security Advisory ELSA-2007-0605 respectively. # include("compat.inc"); if (description) { script_id(67538); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2007-3410"); script_xref(name:"RHSA", value:"2007:0605"); script_name(english:"Oracle Linux 4 : HelixPlayer (ELSA-2007-0605)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2007:0605 : An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2007-June/000254.html" ); script_set_attribute( attribute:"solution", value:"Update the affected helixplayer package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:HelixPlayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL4", cpu:"i386", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"HelixPlayer-1.0.6-0.EL4.2.0.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HelixPlayer"); }NASL family Windows NASL id REALPLAYER_6_0_12_1578.NASL description According to its build number, the installed version of RealPlayer on the remote Windows host contains a stack-based buffer overflow that can be triggered by a specially crafted SMIL file, perhaps accessed over the web using the CLSID last seen 2020-06-01 modified 2020-06-02 plugin id 25573 published 2007-06-27 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25573 title RealPlayer for Windows < Build 6.0.12.1578 Multiple Vulnerabilities NASL family Windows NASL id REALPLAYER_6_0_12_1662.NASL description According to its build number, the installed version of RealPlayer / RealOne Player / RealPlayer Enterprise on the remote Windows host suffers from several buffer overflows involving specially crafted media files (eg, last seen 2020-06-01 modified 2020-06-02 plugin id 27591 published 2007-10-30 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27591 title RealPlayer for Windows < Build 6.0.12.1662 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F762CCBBBAED11DCA302000102CC8983.NASL description Secunia reports : Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user last seen 2020-06-01 modified 2020-06-02 plugin id 29866 published 2008-01-07 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29866 title FreeBSD : linux-realplayer -- multiple vulnerabilities (f762ccbb-baed-11dc-a302-000102cc8983) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200709-05.NASL description The remote host is affected by the vulnerability described in GLSA-200709-05 (RealPlayer: Buffer overflow) A stack-based buffer overflow vulnerability has been reported in the SmilTimeValue::parseWallClockValue() function in smlprstime.cpp when handling HH:mm:ss.f type time formats. Impact : By enticing a user to open a specially crafted SMIL (Synchronized Multimedia Integration Language) file, an attacker could be able to execute arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 26095 published 2007-09-24 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26095 title GLSA-200709-05 : RealPlayer: Buffer overflow NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0605.NASL description An updated HelixPlayer package that fixes a buffer overflow flaw is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. HelixPlayer is a media player. A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) All users of HelixPlayer are advised to upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25624 published 2007-06-29 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25624 title RHEL 4 : HelixPlayer (RHSA-2007:0605) NASL family Scientific Linux Local Security Checks NASL id SL_20070627_HELIXPLAYER_ON_SL4_X.NASL description A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) last seen 2020-06-01 modified 2020-06-02 plugin id 60220 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60220 title Scientific Linux Security Update : HelixPlayer on SL4.x i386/x86_64 NASL family Fedora Local Security Checks NASL id FEDORA_2007-0756.NASL description A buffer overflow flaw was discovered in the way RealPlayer and HelixPlayer handle the wallclock variable in Synchronized Multimedia Integration Language (SMIL) files. More information regarding this flaw can be found here: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=5 47 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27679 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27679 title Fedora 7 : HelixPlayer-1.0.7-6.fc7 (2007-0756)
Oval
| accepted | 2010-09-06T04:04:17.299-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | Stack-based buffer overflow in the SmilTimeValue::parseWallClockValue function in smlprstime.cpp in RealNetworks RealPlayer 10, 10.1, and possibly 10.5, RealOne Player, RealPlayer Enterprise, and Helix Player 10.5-GOLD and 10.0.5 through 10.0.8, allows remote attackers to execute arbitrary code via an SMIL (SMIL2) file with a long wallclock value. | ||||
| family | unix | ||||
| id | oval:org.mitre.oval:def:10554 | ||||
| status | accepted | ||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||
| title | Stack-based buffer overflow in the SmilTimeValue::parseWallClockValue function in smlprstime.cpp in RealNetworks RealPlayer 10, 10.1, and possibly 10.5, RealOne Player, RealPlayer Enterprise, and Helix Player 10.5-GOLD and 10.0.5 through 10.0.8, allows remote attackers to execute arbitrary code via an SMIL (SMIL2) file with a long wallclock value. | ||||
| version | 6 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Saint
| bid | 24658 |
| description | RealPlayer SMIL file wallclock buffer overflow |
| id | misc_realplayer |
| osvdb | 37374 |
| title | realplayer_smil_wallclock |
| type | client |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 24658 CVE(CAN) ID: CVE-2007-3410 RealPlayer是一款非常流行的媒体播放器,支持多种格式;HelixPlayer是其开源版本。 RealPlayer/HelixPlayer播放器的墙壁时钟在处理日期格式时存在缓冲区漏洞,远程攻击者可能利用此漏洞控制用户机器。 墙壁时钟(wallclock)功能没有正确地处理HH:mm:ss.f时间格式: 924 HX_RESULT 925 SmilTimeValue::parseWallClockValue(REF(const char*) pCh) 926 { ... 957 char buf[10]; /* Flawfinder: ignore */ ... 962 while (*pCh) 963 { ... 972 else if (isspace(*pCh) || *pCh == '+' || *pCh == '-' || *pCh == 'Z') 973 { 974 // this will find the last +, - or Z... which is what we want. 975 pTimeZone = pCh; 976 } ... 982 ++pCh; 983 } ... 1101 if (pTimePos) 1102 { 1103 //HH:MM... .... 1133 if (*(pos-1) == ':') 1134 { .... 1148 if (*(pos-1) == '.') 1149 { 1150 // find end. 1151 UINT32 len = 0; 1152 if (pTimeZone) 1153 { 1154 len = pTimeZone - pos; 1155 } 1156 else 1157 { 1158 len = end - pos; 1159 } 1160 strncpy(buf, pos, len); /* Flawfinder: ignore */ 在957行栈缓冲区声明为10字节,该行的标注导致FlawFinder程序忽略这个缓冲区。 962行开始的循环通过一个函数参数运行,该函数用于寻找表示时间格式中不同部分的字符。如果遇到了空格、“+”、“-”、或“Z”字符,就会记录下位置以备之后使用。如果找到了时间且包含有冒号和逗号,就会到达有漏洞的代码。 1154或1158行计算将要拷贝到栈缓冲区的数据长度,具体取决于是否存在时区。这两处计算都没有考虑buf缓冲区的常数长度,因此在1160行可能出现栈溢出。此外,该行不安全地使用strncpy()也被标记了忽略FlawFinder的标注。 如果用户受骗使用有漏洞的播放器加载了同步多媒体集成语言(SMIL)文件的话,就可能触发这个溢出,导致执行任意指令。 Real Networks RealPlayer 10.5-GOLD Real Networks Helix Player 10.5-GOLD 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 为CLSID CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA设置kill-bit。 厂商补丁: Real Networks ------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www.real.com" target="_blank">http://www.real.com</a> |
| id | SSV:1930 |
| last seen | 2017-11-19 |
| modified | 2007-06-28 |
| published | 2007-06-28 |
| reporter | Root |
| title | RealPlayer/HelixPlayer ParseWallClockValue函数栈缓冲区溢出漏洞 |
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547
- http://osvdb.org/37374
- http://osvdb.org/38342
- http://secunia.com/advisories/25819
- http://secunia.com/advisories/25859
- http://secunia.com/advisories/26463
- http://secunia.com/advisories/26828
- http://secunia.com/advisories/27361
- http://security.gentoo.org/glsa/glsa-200709-05.xml
- http://securitytracker.com/id?1018297
- http://securitytracker.com/id?1018299
- http://service.real.com/realplayer/security/10252007_player/en/
- http://www.attrition.org/pipermail/vim/2007-October/001841.html
- http://www.kb.cert.org/vuls/id/770904
- http://www.redhat.com/support/errata/RHSA-2007-0605.html
- http://www.redhat.com/support/errata/RHSA-2007-0841.html
- http://www.securityfocus.com/bid/24658
- http://www.vupen.com/english/advisories/2007/2339
- http://www.vupen.com/english/advisories/2007/3628
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35088
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10554