Vulnerabilities > CVE-2005-2052 - Remote Security vulnerability in RealPlayer
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Heap-based buffer overflow in vidplin.dll in RealPlayer 10 and 10.5 (6.0.12.1040 through 1069), RealOne Player v1 and v2, RealPlayer 8 and RealPlayer Enterprise allows remote attackers to execute arbitrary code via an .avi file with a modified strf structure value.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Nessus
NASL family Windows NASL id REALPLAYER_REALTEXT_PARSING_OVERFLOW.NASL description According to its build number, the installed version of RealPlayer / RealOne Player for Windows has several vulnerabilities : - A malicious MP3 file can be used to overwrite an arbitrary file or execute an ActiveX control. - Using a specially crafted RealMedia file, an attacker may be able to cause a heap overflow and run arbitrary code within the context of the affected application. - Using a specially crafted AVI file, an attacker may be able to cause a buffer overflow and run arbitrary code within the context of the affected application. - A malicious website may be able to cause a local HTML file to be created that triggers an RM file to play which would then reference the local HTML file. last seen 2020-06-01 modified 2020-06-02 plugin id 18558 published 2005-06-24 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18558 title RealPlayer / RealOne Player for Windows Multiple Vulnerabilities (2005-06-23) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18558); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2005-1766", "CVE-2005-2052"); script_bugtraq_id(13530, 14048, 14073); script_name(english:"RealPlayer / RealOne Player for Windows Multiple Vulnerabilities (2005-06-23)"); script_summary(english:"Checks RealPlayer build number"); script_set_attribute(attribute:"synopsis", value: "The remote Windows application is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its build number, the installed version of RealPlayer / RealOne Player for Windows has several vulnerabilities : - A malicious MP3 file can be used to overwrite an arbitrary file or execute an ActiveX control. - Using a specially crafted RealMedia file, an attacker may be able to cause a heap overflow and run arbitrary code within the context of the affected application. - Using a specially crafted AVI file, an attacker may be able to cause a buffer overflow and run arbitrary code within the context of the affected application. - A malicious website may be able to cause a local HTML file to be created that triggers an RM file to play which would then reference the local HTML file."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dc045348"); script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/403535/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"http://service.real.com/help/faq/security/050623_player/EN/"); script_set_attribute(attribute:"solution", value: "Upgrade according to the vendor advisory referenced above."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/24"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/23"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/23"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:realnetworks:realplayer"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("realplayer_detect.nasl"); script_require_keys("SMB/RealPlayer/Product", "SMB/RealPlayer/Build"); exit(0); } include("global_settings.inc"); # nb: RealOne Player and RealPlayer Enterprise are also affected, # but we don't currently know which specific build numbers # address the issues. prod = get_kb_item("SMB/RealPlayer/Product"); if (!prod || prod != "RealPlayer") exit(0); # Check build. build = get_kb_item("SMB/RealPlayer/Build"); if (build) { # There's a problem if the build is: # - [6.0.12.1040, 6.0.12.1212), RealPlayer ver = split(build, sep:'.', keep:FALSE); if ( int(ver[0]) < 6 || ( int(ver[0]) == 6 && int(ver[1]) == 0 && ( int(ver[2]) < 12 || (int(ver[2]) == 12 && int(ver[3]) >= 1040 && int(ver[3]) < 1212) ) ) ) { if (report_verbosity) { report = string( "\n", prod, " build ", build, " is installed on the remote host.\n" ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); } }
NASL family Windows NASL id RHAPSODY_REALTEXT_PARSING_OVERFLOW.NASL description The remote installation of Rhapsody has a heap overflow in the last seen 2020-06-01 modified 2020-06-02 plugin id 18560 published 2005-06-24 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18560 title Rhapsody vidplin.dll AVI Processing Heap Overflow Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18560); script_version("1.18"); script_cve_id("CVE-2005-2052"); script_bugtraq_id(13530); name["english"] = "Rhapsody vidplin.dll AVI Processing Heap Overflow Vulnerability"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a multimedia player that is prone to a buffer overflow attack." ); script_set_attribute(attribute:"description", value: "The remote installation of Rhapsody has a heap overflow in the 'vidplin.dll' file used to process AVI files. With a specially- crafted AVI file, an attacker can exploit this flaw to cause arbitrary code to be run within the context of the affected application when a user opens the file." ); script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jun/201" ); script_set_attribute(attribute:"see_also", value:"http://service.real.com/help/faq/security/050623_player/EN/" ); script_set_attribute(attribute:"solution", value: "Upgrade according to the vendor advisory referenced above." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/24"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/23"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"patch_publication_date", value: "2005/06/23"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); summary["english"] = "Checks for vidplin.dll AVI processing heap overflow vulnerability in Rhapsody"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("rhapsody_detect.nasl"); script_require_keys("SMB/Rhapsody/Version"); exit(0); } ver = get_kb_item("SMB/Rhapsody/Version"); if (ver) { # There's a problem if it's version 3 with a build in [0.815, 0.1141). iver = split(ver, sep:'.', keep:FALSE); if ( int(iver[0]) == 3 && int(iver[1]) == 0 && int(iver[2]) == 0 && (int(iver[3]) >= 815 && int(iver[3]) < 1141) ) security_hole(get_kb_item("SMB/transport")); }