Realplayer Watchfolders Long Filepath Overflow by Joseph Sheridan
Realplayer version 18.104.22.168 is vulnerable to a stack buffer overflow vulnerability in the 'Watch Folders' facility.
- CVE number: CVE-2012-4987
- Impact: High
- Vendor homepage: http://www.real.com
- Vendor notified: 10/09/2012
- Vendor response: The vendor initially responded to say that a representative would be in touch regarding the bug but no contact was made and no reply was made to several further emails.
- Credit: Joseph Sheridan of ReactionIS
Realplayer version 22.214.171.124, other versions may also be affected.
A default Realplayer install has a 'Watch Folders' function which scans a (configurable) list of folders including Downloads and My Documents etc. If there is an overly long directory path (i.e. > 256 characters) then a null byte on the stack is overwritten and a buffer overflow subsequently occurs. As the following event log details show, it is possible to take full control of EIP:
Faulting application name: RealPlay.exe, version: 126.96.36.199, time stamp: 0x4fe37037 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000 Exception code: 0xc0000005 Fault offset: 0x61616161 Faulting process id: 0x157c Faulting application start time: 0x01cd7c9f57dcb90d
The payload could be delivered by enticing a victim to extract a malicious zip file containing a random file with an overly long directory structure containing the exploit code.
An attacker may be able to take full control of the host and execute arbitrary code.
No known solution at this time.
Reaction Information Security is a leading independent pen test consultancy specialising in delivering the highest quality security testing services including network pen testing and web application security testing. As a CESG CHECK Service Provider we are authorised to carry out penetration testing on classified government networks.