RealNetworks RealPlayer .smil Buffer Overflow Vulnerability 
 
iDEFENSE Security Advisory 03.01.05 
www.idefense.com/application/poi/display?id=209&type=vulnerabilities 
March 1, 2005 
 
I. BACKGROUND 
 
RealPlayer is an application for playing various media formats, 
developed by RealNetworks Inc. For more information, visit 
http://www.real.com/. 
 
II. DESCRIPTION 
 
Remote exploitation of a stack-based buffer overflow vulnerability in 
the The Synchronized Multimedia Integration Language (smil) file format 
parser within various versions of RealNetworks Inc.'s RealPlayer could 
allow attackers to execute arbitrary code. 
 
The vulnerability specifically exists due to an unbounded string copying 
operation. The vulnerable code is shown below: 
 
datatype/smil/renderer/smil1/smlparse.cpp 
CSmil1Parser::testAttributeFailed(SMIL1Node* pNode) 
line 2878 
***   
     if(HXR_OK == rc) 
        {    
            UINT32 ulScreenHeight = 0; 
            UINT32 ulScreenWidth = 0; 
 
            const char* pScreenSize = (const char*)pBuf->GetBuffer(); 
            // format is screen-height "X" screen-width 
            char tmp[256]; /* Flawfinder: ignore */ 
            strcpy(tmp, pScreenSize); /* Flawfinder: ignore */ 
*** 
 
 
The pBuf object's datapointer (which is what GetBuffer uses internally) 
is pointing at the screen-size attribute in the user-supplied smil file. 
This allows a fixed stack buffer to be overwritten with user-supplied 
data. An attacker could use this stack overwrite to manipulate a saved 
return address or Structured Exception Handler, allowing for arbitrary 
code execution. 
 
In order to trigger this vulnerability, one would need an otherwise 
valid .smil file with the following line added in an appropriate 
section: <text src="1024_768.en.txt" region="size" system-screen- 
size="LONGSTRINGX768"> 
 
Note that "LONGSTRING" should be more than 256 bytes in order to cause 
stack corruption. 
 
III. ANALYSIS 
 
Exploitation allows for arbitrary code execution as the user who opened 
the .smil file. 
 
Exploitation requires an attacker to craft a malicious .smil and 
convince a user to open it. An attacker could also force a web browser 
to refresh and automatically load the .smil file from a normal web page 
under the attacker's control. In default installations of RealPlayer   
under Windows, Internet Explorer will not prompt the user for an action 
when encountering a .smil file. It will open it without delay, thus 
allowing a more effective method of exploitation. 
 
IV. DETECTION 
 
iDEFENSE Labs has confirmed that Real Networks Inc.'s RealPlayer 10.5 
(6.0.12.1056) on Windows and RealPlayer 10 (10.0.1.436) on Linux are 
vulnerable. 
 
The vendor has reported that the following products are vulnerable on 
the following platforms: 
 
Windows: 
        RealPlayer 10.5 (6.0.12.1056 and below) 
        RealPlayer 10 
        RealOne Player V2 
        RealOne Player V1 
        RealPlayer 8 
        RealPlayer Enterprise 
        RealPlayer Enterprise 
 
Mac 
        RealPlayer 10 (10.0.0.325 and below) 
        RealOne Player 
 
Linux 
        RealPlayer 10 
        Helix Player 
 
V. WORKAROUND 
 
There are no known workarounds for this vulnerability. Although .smil 
files can be disassociated from RealPlayer, it is still possible to 
cause these files to load with RealPlayer using other methods. One such 
method is loading the file via one of the many ActiveX Controls that 
RealPlayer contains. Any effective workaround would prevent RealPlayer 
from functioning. 
 
VI. VENDOR RESPONSE 
 
A vendor advisory for this issue is available at: 
 
   http://service.real.com/help/faq/security/050224_player 
 
VII. CVE INFORMATION 
 
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
names CAN-2005-0455 to these issues. This is a candidate for inclusion 
in the CVE list (http://cve.mitre.org), which standardizes names for 
security problems. 
 
VIII. DISCLOSURE TIMELINE 
 
01/14/2005  Initial vendor notification 
01/19/2005  Initial vendor response 
03/01/2005  Coordinated public disclosure 
 
IX. CREDIT 
 
The discoverer of this vulnerability wishes to remain anonymous. 
 
Get paid for vulnerability research 
http://www.idefense.com/poi/teams/vcp.jsp