Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5 6.0.12.1056 on Windows, and 10, 10.0.1.436, and other versions before 10.0.5 on Linux, allows remote attackers to execute arbitrary code via a RealMedia file with a long RealText string, such as an SMIL file.

An updated HelixPlayer package that fixes a buffer overflow issue is now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

HelixPlayer is a media player.

A buffer overflow bug was found in the way HelixPlayer processes SMIL files. An attacker could create a specially crafted SMIL file, which when combined with a malicious web server, could execute arbitrary code when opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1766 to this issue.

All users of HelixPlayer are advised to upgrade to this updated package, which contains HelixPlayer version 10.0.5 and is not vulnerable to this issue.

Multiple security vulnerabilities have been identified in the helix-player media player that could allow an attacker to execute code on the victim's machine via specially crafted network resources.

  - CAN-2005-1766     Buffer overflow in the RealText parser could allow     remote code execution via a specially crafted RealMedia     file with a long RealText string.

  - CAN-2005-2710

    Format string vulnerability in Real HelixPlayer and     RealPlayer 10 allows remote attackers to execute     arbitrary code via the image handle attribute in a     RealPix (.rp) or RealText (.rt) file.

An iDEFENSE Security Advisory reports :

Remote exploitation of a heap-based buffer overflow vulnerability in the RealText file format parser within various versions of RealNetworks Inc.'s RealPlayer could allow attackers to execute arbitrary code.

The remote host is affected by the vulnerability described in GLSA-200507-04 (RealPlayer: Heap overflow vulnerability)

    RealPlayer is vulnerable to a heap overflow when opening RealMedia     files which make use of RealText.
  Impact :

    By enticing a user to play a specially crafted RealMedia file an     attacker could execute arbitrary code with the permissions of the user     running the application.
  Workaround :

    There is no known workaround at this time.

The remote Windows host has RealPlayer software installed.  There is a flaw in this version of the software that would allow an attacker to execute arbitrary code.  An attacker exploiting this flaw would need to be able to convince a user to download and play a malicious media file.  Upon execution, a local content-parsing bug would be triggered, enabling a local heap overflow and code execution.  

According to its build number, the installed version of RealPlayer / RealOne Player for Windows has several vulnerabilities :

  - A malicious MP3 file can be used to overwrite an     arbitrary file or execute an ActiveX control.

  - Using a specially crafted RealMedia file, an attacker     may be able to cause a heap overflow and run arbitrary     code within the context of the affected application.

  - Using a specially crafted AVI file, an attacker may     be able to cause a buffer overflow and run arbitrary     code within the context of the affected application.

  - A malicious website may be able to cause a local HTML     file to be created that triggers an RM file to play     which would then reference the local HTML file.

An updated RealPlayer package that fixes a buffer overflow issue is now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 05 Jul 2005] The previous package for Red Hat Enterprise Linux 4 did not contain the proper fix for this issue. This erratum has been updated with a replacement package that corrects this issue

RealPlayer is a media player that provides media playback locally and via streaming. It plays RealAudio, RealVideo, MP3, 3GPP Video, Flash, SMIL 2.0, JPEG, GIF, PNG, RealPix, RealText, and more.

A buffer overflow bug was found in the way RealPlayer processes SMIL files. An attacker could create a specially crafted SMIL file that could combine with a malicious Web server to execute arbitrary code when the file was opened by a user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1766 to this issue.

All users of RealPlayer are advised to upgrade to this updated package, which contains RealPlayer version 10.0.5 and is not vulnerable to this issue.

The remote Redhat Enterprise Linux 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2005:517 advisory.

  - security flaw (CVE-2005-1766)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
21944	CentOS 4 : HelixPlayer (CESA-2005:517)	Nessus	CentOS Local Security Checks	medium
19795	Debian DSA-826-1 : helix-player - multiple vulnerabilities	Nessus	Debian Local Security Checks	medium
19036	FreeBSD : linux-realplayer -- RealText parsing heap overflow (95ee96f2-e488-11d9-bf22-080020c11455)	Nessus	FreeBSD Local Security Checks	medium
18633	GLSA-200507-04 : RealPlayer: Heap overflow vulnerability	Nessus	Gentoo Local Security Checks	medium
3030	RealPlayer < 6.0.12.1212 vidplin.dll Crafted AVI Overflow	Nessus Network Monitor	Web Clients	medium
18558	RealPlayer / RealOne Player for Windows Multiple Vulnerabilities (2005-06-23)	Nessus	Windows	high
18556	RHEL 3 / 4 : RealPlayer (RHSA-2005:523)	Nessus	Red Hat Local Security Checks	medium
18555	RHEL 4 : HelixPlayer (RHSA-2005:517)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2005-1766

high

Tenable Plugins

medium

medium

medium

medium

medium

high

medium

high