RealPlayer Exploit On The Loose

[Symantec]

RealPlayer Exploit On The Loose
<p>Yesterday we became aware of an in-the-wild exploitation of a <a href="http://www.securityfocus.com/bid/26130">previously unknown RealPlayer vulnerability</a>. This unpatched vulnerability affects the latest versions of RealPlayer and RealPlayer 11 BETA distributed on their site. The issue affects an ActiveX object in the RealPlayer component ierpplug.dll.</p>

<p>This DLL has been <a href="http://www.securityfocus.com/bid/21802">exploited in the past</a>, although only remote denial of service was achieved at the time. It appears that the miscreants have refined their technique to achieve code execution. The parameter passed to the vulnerable method of the ActiveX control appears to allow only character strings, which is most likely why the shell code is made up of only English letters (A~Z) and numbers (0~9). These characters can be read directly by Intel IA-32 CPUs modifying machine code instructions on-the-fly. </p>

<p>The malicious .html page checks several versions of RealPlayer to determine if the installed application is vulnerable. If it is, the attacker can potentially take control of the computer. <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2007-101600-3044-99">Trojan.Reapall</a>, the sample we received, successfully exploits this RealPlayer vulnerability and downloads and executes a copy <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99">Trojan.Zonebac</a>.</p>

<p>Additionally, when the vulnerability is successfully exploited, the clip named "videotest" from the "My Library" folder, available in standard installations of RealPlayer, will be played.</p>

<p><a href="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/10/RealFull.html" onclick="window.open('http://www.symantec.com/enterprise/security_response/weblog/upload/2007/10/RealFull.html','popup','width=990,height=620,scrol lbars=no,resizable=no,toolbar=no,directories=no,lo cation=no,menubar=no,status=no,left=0,top=0'); return false"><img src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/10/RealSmall.jpg" width="370" height="232" /></a><br />
<strong>(Click for larger image.)</strong></p>

<p>We have successfully tested this sample against the latest versions of RealPlayer 11 Beta and RealPlayer 10.5. Older versions may also be vulnerable.</p>

<p>If you have RealPlayer installed, simply visiting a malicious Web page can put your computer at risk; the player does not need to be running.</p>

<p>Some mitigating strategies that you can put in place until patches are available are:<br />
<ul><li>Set the kill bit on the Class identifier (CLSID) FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 (<a href="http://support.microsoft.com/kb/240797">See instructions here</a>).</li><br />
<li>Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.</li><br />
<li>Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted sites security zone.</li><br />
<li>Ensure that antivirus software is up to date.</li><br />
<li>As most vulnerabilities of this nature rely on JavaScript to carry out exploitation, customers are advised to disable JavaScript whenever possible.</li><br />
<li>Always execute Web browser software as a user with minimal system privileges.</li></ul></p>

<p><strong>Update - October 22, 2007:</strong> RealNetworks <a href="http://service.real.com/realplayer/security/191007_player/en/">has released a patch</a> that addresses this vulnerability.</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
Fri, 19 Oct 2007 07:46:48 -0800