=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN087
_____________________________________________________________________

DATE                      : 13/03/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running RealPlayer.

======================================================================
http://www.kb.cert.org/vuls/id/831457
______________________________________________________________________

Vulnerability Note VU#831457

RealNetworks RealPlayer ActiveX controls property heap memory corruption


Overview

Multiple RealPlayer ActiveX controls fail to properly handle properties,
which can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.


I. Description
RealNetworks RealPlayer provides multiple ActiveX controls to allow
integration with Internet Explorer. The ActiveX controls provided by the
file rmoc3260.dll fail to properly handle multiple properties, including
Console. Setting these properties can result in heap memory corruption.


II. Impact
By convincing a user to view a specially crafted HTML document (e.g., a
web page or an HTML email message or attachment), an attacker may be
able to execute arbitrary code with the privileges of the user.


III. Solution
We are currently unaware of a practical solution to this problem. Please
consider the following workarounds:

Disable the RealPlayer ActiveX controls in Internet Explorer

The vulnerable ActiveX controls can be disabled in Internet Explorer by
setting the kill bit for the following CLSIDs:

       {0FDF6D6B-D672-463B-846E-C6FF49109662}
       {224E833B-2CC6-42D9-AE39-90B6A38A4FA2}
       {2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
       {3B46067C-FD87-49B6-8DDD-12F0D687035F}
       {3B5E0503-DE28-4BE8-919C-76E0E894A3C2}
       {44CCBCEB-BA7E-4C99-A078-9F683832D493}
       {A1A41E11-91DB-4461-95CD-0C02327FD934}
       {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

More information about how to set the kill bit is available in Microsoft
Support Document 240797. Alternatively, the following text can be saved
as a .REG file and imported to set the kill bit for these controls:

       Windows Registry Editor Version 5.00

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0FDF6D6B-D672-463B-846E-C6FF49109662}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{224E833B-2CC6-42D9-AE39-90B6A38A4FA2}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{3B46067C-FD87-49B6-8DDD-12F0D687035F}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{3B5E0503-DE28-4BE8-919C-76E0E894A3C2}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{44CCBCEB-BA7E-4C99-A078-9F683832D493}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{A1A41E11-91DB-4461-95CD-0C02327FD934}]
       "Compatibility Flags"=dword:00000400

       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}]
       "Compatibility Flags"=dword:00000400


Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an
attacker) appears to prevent exploitation of this and other ActiveX
vulnerabilities. Instructions for disabling ActiveX in the Internet Zone
can be found in the "Securing Your Web Browser" document.


Systems Affected

Vendor                   Status       Date Updated
RealNetworks, Inc.      Vulnerable     11-Mar-2008


References

http://secunia.com/advisories/29315/
http://archives.neohapsis.com/archives/fulldisclosure/2008-03/0157.html
http://isc.sans.org/diary.html?storyid=4120
http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060659.html

Credit

This vulnerability was publicly disclosed by Elazar Broad.

This document was written by Will Dormann.

Other Information
Date Public             03/10/2008
Date First Published    03/11/2008 01:55:45 PM
Date Last Updated       03/11/2008

CERT Advisory	
CVE Name
US-CERT Technical Alerts	
Metric   17.15
Document Revision  2

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================