微慑信息网

CVE-2008-1309-漏洞详情

CVE-2008-1309
CVSS 9.3
发布时间 :2008-03-12 13:44:00
修订时间 :2017-02-19 00:21:48
NMCOEPS    

[原文]The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.


[CNNVD]RealNetworks RealPlayer ‘rmoc3260.dll’ ActiveX控件内存破坏漏洞(CNNVD-200803-201)

        RealPlayer是一款流行的多媒体播放器,支持多种媒体格式。


        RealPlayer的rmoc3260.dll ActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞控制用户系统。


        rmoc3260.dll ActiveX控件没有正确地处理Console属性的输入参数,如果用户受骗访问了恶意站点的话,就可能触发内存破坏,导致执行任意指令。


        


CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-399 [资源管理错误]


CPE (受影响的平台与产品)

cpe:/a:realnetworks:realplayer:11
cpe:/a:realnetworks:realplayer:::enterprise
cpe:/a:realnetworks:realplayer:10.0 RealNetworks RealPlayer 10.0
cpe:/a:realnetworks:realplayer:10.5 RealNetworks RealPlayer 10.5


OVAL (用于检测的技术细节)

未找到相关OVAL定义


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1309

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1309

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-201

(官方数据源) CNNVD


其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060659.html


(UNKNOWN)  FULLDISC  20080310 Real Networks RealPlayer ActiveX Control Heap Corruption
http://service.real.com/realplayer/security/07252008_player/en/


(VENDOR_ADVISORY)  CONFIRM  http://service.real.com/realplayer/security/07252008_player/en/
http://www.kb.cert.org/vuls/id/831457


(UNKNOWN)  CERT-VN  VU#831457
http://www.milw0rm.com/exploits/5332


(UNKNOWN)  MILW0RM  5332
http://www.securityfocus.com/archive/1/archive/1/494779/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080725 ZDI-08-047: RealNetworks RealPlayer rmoc3260 ActiveX Control Memory Corruption Vulnerability
http://www.securityfocus.com/bid/28157


(UNKNOWN)  BID  28157
http://www.securitytracker.com/id?1019576


(UNKNOWN)  SECTRACK  1019576
http://www.securitytracker.com/id?1020563


(UNKNOWN)  SECTRACK  1020563
http://www.vupen.com/english/advisories/2008/0842


(VENDOR_ADVISORY)  VUPEN  ADV-2008-0842
http://www.vupen.com/english/advisories/2008/2194/references


(VENDOR_ADVISORY)  VUPEN  ADV-2008-2194
http://www.zerodayinitiative.com/advisories/ZDI-08-047/


(UNKNOWN)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-08-047/
http://xforce.iss.net/xforce/xfdb/41087


(UNKNOWN)  XF  realplayer-realaudioobjects-code-execution(41087)


漏洞信息

RealNetworks RealPlayer ‘rmoc3260.dll’ ActiveX控件内存破坏漏洞
高危 资源管理错误
2008-03-12 00:00:00 2009-03-18 00:00:00
远程  
        RealPlayer是一款流行的多媒体播放器,支持多种媒体格式。


        RealPlayer的rmoc3260.dll ActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞控制用户系统。


        rmoc3260.dll ActiveX控件没有正确地处理Console属性的输入参数,如果用户受骗访问了恶意站点的话,就可能触发内存破坏,导致执行任意指令。


        


公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:


        http://www.real.com


漏洞信息 (5332)

Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
(EDBID:5332)
windows remote
2008-04-01 Verified
0 Elazar

N/A

[点击下载]


漏洞信息 (16584)

RealPlayer rmoc3260.dll ActiveX Control Heap Corruption (EDBID:16584)
windows remote
2010-06-15 Verified
0 metasploit

N/A

[点击下载]


漏洞信息 (F68526)

Zero Day Initiative Advisory 08-047 (PacketStormID:F68526)

2008-07-26 00:00:00
Peter Vreugdenhil,Tipping Point  zerodayinitiative.com

advisory,remote,web,code execution,activex

CVE-2008-1309

[点击下载]

A vulnerability allows remote attackers to execute code on vulnerable installations of RealPlayer. User interaction is required in that a user must visit a malicious web site. The specific flaw exists in the rmoc3260 ActiveX control. Specifying malicious values for the 'Controls' or 'Console' properties with a specific timing results in a memory corruption which can lead to code execution under the context of the current user.


漏洞信息 (F65090)

realplayer_console.rb.txt (PacketStormID:F65090)

2008-04-02 00:00:00
Elazar Broad  

exploit,arbitrary,activex

CVE-2008-1309

[点击下载]

This Metasploit module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.


漏洞信息 (F65089)

realplayer-activexexec.txt (PacketStormID:F65089)

2008-04-02 00:00:00
Elazar Broad  

exploit,arbitrary,activex

CVE-2008-1309

[点击下载]

Exploit for the heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.


漏洞信息


42946
RealPlayer ActiveX (rmoc3260.dll) Console Property Memory Corruption Arbitrary Code Execution

Remote / Network Access,
Context Dependent

Input Manipulation
Loss of Integrity Workaround,
Patch / RCS
Exploit Public,
Exploit Private,
Exploit Commercial
Vendor Verified


漏洞描述

A use-after-free condition exists in RealPlayer. By setting properties in rmoc3260.dll ActiveX control in a certain way, it is possible to overwrite heap management structures, resulting in redirection of execution flow when these corrupted heap blocks are freed. This issue can be exploited by a context-dependent attacker to execute arbitrary code in the context of the user running the host application, typically Internet Explorer.


时间线


2008-03-10

2008-03-10
2008-04-01 2008-07-25


解决方案

RealNetworks has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): set the killbit for the affected control.


相关参考


漏洞作者


漏洞信息

RealNetworks RealPlayer ‘rmoc3260.dll’ ActiveX Control Memory Corruption Vulnerability

Boundary Condition Error

28157
Yes No
2008-03-10 12:00:00 2008-07-28 05:47:00

Elazar Broad and Peter Vreugdenhil.


受影响的程序版本

Real Networks rmoc3260.dll 6.0.10 .45

Real Networks RealPlayer Enterprise

Real Networks RealPlayer 11.0.2

Real Networks RealPlayer 10.5 v6.0.12.1483

Real Networks RealPlayer 10.5 v6.0.12.1483

Real Networks RealPlayer 10.5 v6.0.12.1348

Real Networks RealPlayer 10.5 v6.0.12.1235

Real Networks RealPlayer 10.5 v6.0.12.1069

Real Networks RealPlayer 10.5 v6.0.12.1059

Real Networks RealPlayer 10.5 v6.0.12.1056

Real Networks RealPlayer 10.5 v6.0.12.1053

Real Networks RealPlayer 10.5 v6.0.12.1040

Real Networks RealPlayer 10.5 Beta v6.0.12.1016

Real Networks RealPlayer 10.5

Real Networks RealPlayer 10.0

+

S.u.S.E. cvsup-16.1h-43.i586.rpm


+

S.u.S.E. Linux Personal 9.3


+

S.u.S.E. Linux Personal 9.2


Real Networks RealPlayer 11

Real Networks rmoc3260.dll 6.0.10 .50

Real Networks RealPlayer 11.0.3

Real Networks RealPlayer 10.5 v6.0.12.1675


不受影响的程序版本

Real Networks rmoc3260.dll 6.0.10 .50

Real Networks RealPlayer 11.0.3

Real Networks RealPlayer 10.5 v6.0.12.1675


漏洞讨论

RealNetworks RealPlayer 'rmoc3260.dll' ActiveX control is prone to a memory-corruption vulnerability.



Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely crash the application.


漏洞利用

An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious HTML page.



UPDATE (April 3, 2008): This issue is being actively exploited in the wild.



Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.



The following proof of concept and exploit code are available:


解决方案

The vendor addressed this issue in RealPlayer 11.0.3. Please contact the vendor for details.




相关参考

本文标题:CVE-2008-1309-漏洞详情
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0713_2949.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-1309-漏洞详情
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们