Vulnerabilities > CVE-2010-2579 - Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
realnetworks
apple
linux
nessus

Summary

The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, Mac RealPlayer 11.0 through 11.1, and Linux RealPlayer 11.0.2.1744 does not properly initialize the number of channels, which allows attackers to obtain unspecified "memory access" via unknown vectors. Per: http://cwe.mitre.org/data/definitions/665.html 'CWE-665: Improper Initialization'

Nessus

NASL familyWindows
NASL idREALPLAYER_12_0_1_609.NASL
descriptionAccording to its build number, the installed version of RealPlayer on the remote Windows host is affected by multiple vulnerabilities: - An error in the
last seen2020-06-01
modified2020-06-02
plugin id50612
published2010-11-16
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/50612
titleRealPlayer for Windows < Build 12.0.1.609 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(50612);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id(
    "CVE-2010-0121", "CVE-2010-0125", "CVE-2010-2579", "CVE-2010-2997", 
    "CVE-2010-2999", "CVE-2010-4375", "CVE-2010-4376", "CVE-2010-4377", 
    "CVE-2010-4378", "CVE-2010-4379", "CVE-2010-4380", "CVE-2010-4381", 
    "CVE-2010-4382", "CVE-2010-4383", "CVE-2010-4384", "CVE-2010-4385", 
    "CVE-2010-4386", "CVE-2010-4387", "CVE-2010-4388", "CVE-2010-4389", 
    "CVE-2010-4390", "CVE-2010-4391", "CVE-2010-4392", "CVE-2010-4394", 
    "CVE-2010-4395", "CVE-2010-4396", "CVE-2010-4397"
  );
  script_bugtraq_id(
    44847, 45406, 45407, 45409, 45410, 45411, 45412, 45414,
    45421, 45422, 45424, 45425, 45426, 45428, 45429,
    45444, 45445, 45448, 45449, 45451, 45452, 45453, 45455,
    45458, 45459, 45463, 45464, 45465
  );
  script_xref(name:"Secunia", value:"38550");
  script_xref(name:"Secunia", value:"42203");

  script_name(english:"RealPlayer for Windows < Build 12.0.1.609 Multiple Vulnerabilities");
  script_summary(english:"Checks RealPlayer build number.");

  script_set_attribute(attribute:"synopsis", value:
"An application on the remote Windows host is affected by multiple
vulnerabilities.");

  script_set_attribute(attribute:"description", value:
"According to its build number, the installed version of RealPlayer on
the remote Windows host is affected by multiple vulnerabilities:

  - An error in the 'Cook' codec initialization function 
    and can be used to access uninitialized memory. 
    (CVE-2010-0121)

  - Freed pointer access in the handling of the 'Stream 
    Title' tag in a SHOUTcast stream using the ICY protocol.
    (CVE-2010-2997)

  - An integer overflow error exists when handling a 
    malformed 'MLLT atom' in an AAC file. (CVE-2010-2999)

  - Heap-based buffer overflow when handling of multi-rate 
    audio streams. (CVE-2010-4375)

  - Heap-based buffer overflow when parsing GIF87a files
    with large 'Screen Width' values in the 'Screen 
    Descriptor' header over RTSP. (CVE-2010-4376)

  - Heap-based buffer overflow when parsing of 'Cook' codec
    information in a Real Audio file with many subbands.
    (CVE-2010-4377)

  - Memory corruption in parsing of a 'RV20' video stream.
    (CVE-2010-4378)

  - Heap-based buffer overflow when parsing 'AAC', 'IVR', 
    'RealMedia', 'RA5', 'RealPix', 'SIPR' and 'SOUND' files.
    (CVE-2010-0125, CVE-2010-4379, CVE-2010-4380, 
     CVE-2010-4381, CVE-2010-4382, CVE-2010-4383, 
     CVE-2010-4384, CVE-2010-4386, CVE-2010-4387, 
     CVE-2010-4390, CVE-2010-4391, CVE-2010-4392)

  - Integer overflow in the handling of frame dimensions in
    a 'SIPR' stream. (CVE-2010-4385)

  - An input validation error in the 'pnen3260.dll' module 
    can allow arbitrary code execution via a crafted 'TIT2 
    atom' in an AAC file. (CVE-2010-4397)

  - Heap-based buffer overflow in the 'Cook' codec handling 
    functions. (CVE-2010-2579, CVE-2010-4389)

  - Heap-based buffer overflow in the decoding portion of 
    the 'Advanced Audio Coding' compression implementation. 
    (CVE-2010-4395)

  - Cross-site scripting in ActiveX control and several
    HTML files. (CVE-2010-4396, CVE-2010-4388)"
  );

  script_set_attribute(attribute:"solution", value:"Upgrade to RealPlayer 14.0.1.609 (Build 12.0.1.609) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-266/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-267/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-268/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-269/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-270/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-271/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-272/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-273/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-274/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-275/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-276/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-277/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-278/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-279/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-280/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-281/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-282/");
  
  script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/10/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/16");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:realnetworks:realplayer");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  
  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("realplayer_detect.nasl");
  script_require_keys("SMB/RealPlayer/Product", "SMB/RealPlayer/Build");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

prod = get_kb_item_or_exit("SMB/RealPlayer/Product");
build = get_kb_item_or_exit("SMB/RealPlayer/Build");
path = get_kb_item("SMB/RealPlayer/Path");

vuln = FALSE;
if ("RealPlayer" == prod)
{
  if (
    build =~ '^6\\.0\\.14\\..*' ||
    (build =~ '^12\\.0\\.1\\..*' && ver_compare(ver:build, fix:'12.0.1.609') == -1)
  ) vuln = TRUE;
}
else if ("RealPlayer SP" == prod)
{
  build_arr = split(build, sep:'.', keep:FALSE);
  for (i=0; i<max_index(build_arr); i++)
    build_arr[i] = int(build_arr[i]);

  if (build_arr[0] == 12 && build_arr[1] == 0 && build_arr[2] == 0 && build_arr[3] <= 879) vuln = TRUE;
}
else exit(0, 'Neither RealPlayer nor RealPlayer SP was detected on the remote host.');

if (vuln)
{
  if (report_verbosity > 0)
  {
    report = 
      '\n  Product         : ' + prod +
      '\n  Path            : ' + path +
      '\n  Installed build : ' + build +
      '\n  Fix             : RealPlayer Build 12.0.1.609\n';
    security_hole(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_hole(get_kb_item("SMB/transport"));
  exit(0);
}
else exit(0, 'The host is not affected because '+prod+' build '+build+' is installed.');