RealOne Player Allows Cross Zone and Domain Access
DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

RealOne Player Allows Cross Zone and Domain Access

Risk: High

Product: RealOne Player (English only), RealOne Player v2 for Windows (all
languages), and RealOne Enterprise Desktop (all versions, standalone and
as configured by RealOne Desktop Manager).

Product URL: http://www.real.com/realoneplayer.html

Vendor Contacted: July 1, 2003

Vendor Released Patch: August 19, 2003

DigitalPranksters Public Advisory Released: August 27, 2003

Found by: KrazySnake (krazysnake@digitalpranksters.com)

Problem:
Using a SMIL presentation, an attacker can instruct the RealOne player to
load a series of URLs. If the attacker specifies a scripting protocol as
the URL, the script executes in the context of the previous URL. This
allows the attacker access to everything the previous URL had access to.
For example, an attacker could load a file on the local machine (C: drive)
through the SMIL and then load script into the "my computer" zone to read
content from the local hard disk. It also allows the attack to script web
sites and steal cookies.
We feel this is a high risk because there is no prompt before opening a
SMIL file. This allows the attacker to open the maliciously created file
without the victim's intent. We have identified several potential attack
vectors. These include linking to the SMIL over HTTP through link (A
HREF="malicious.smil"), javascript (document.location="malicious.smil"),
and email attachments.

Proof of concept:
We have created a SMIL file that will read the cookie from
https://order.real.com/pt/order.html. The cookie will be read 9 seconds
after the audio has begun.

Source Code on Bugtraq


Resolution:
RealNetworks released a security update to address this issue. The
security update and details of this update from RealNetworks are available
from
http://service.real.com/help/faq/security/securityupdate_august2003.html.