Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Protection against RealPlayer AVI Parsing Buffer Overflow Vulnerability

Attack ID: CPAI-2005-130
Publish Date:
Last Update:
Category: Remote Code Execution
Vulnerable Systems: Real Networks Real Player versions 8, 10, 10.5
Real Networks Real Player Enterprise
Real Networks RealOne Player v1 and v2
Real Networks Rhapsody 3

Source:

eEye
Description: A vulnerability was detected in RealPlayer in the way the application processes malformed media files. By sending a specially crafted media file (.avi), a remote attacker could execute arbitrary code in the context of the user who executed the player. The vulnerability can be triggered when a user views a Web page containing a malformed .avi file , or opens an .avi file via email, an instant messaging program, or other file transfer programs.

Severity:
Details: When processing AVI files, RealPlayer calls a specific DLL, vidplin.dll, where the vulnerability lies.  RealPlayer allocates a fixed memory space that can be overwritten with a data size greater than the fixed buffer size, which can be exploited by a malformed media file (.avi).
Attack Detection: Users of VPN-1 NG with Application Intelligence R55, R55W, users of VPN-1 NGX R60 and users of Interspect who have applied the solution outlined below will identify the following log entries:

Attack Name: Content protection violation
Attack Information: Malformed AVI

Users of VPN-1 NG with Application Intelligence R55 will receive rule 99804 on the SmartView Tracker screen.
Solution:

Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window.

The Update protects against this vulnerability by blocking malformed AVI media files.

To enable the AVI protection:

1. On the SmartDefense navigation tree, click Content Protection > Malformed AVI.



2. Install policy on all modules.

Note: This protection is performance-intensive. Activating it may consume considerable system resources.

 
Industry Reference: CAN-2005-2052
Additional Information: This Update also includes:
- GoToMyPC protection (CPAI-2005-131)
- Option to block Check Point Visitor Mode, traversing the VPN-1 or InterSpect module.