Vulnerabilities > CVE-2007-5601 - Buffer Errors vulnerability in Realnetworks Realplayer 10.0/10.5/11Beta
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne Player, and RealOne Player 2, allows remote attackers to execute arbitrary code via certain playlist names, as demonstrated via the import method to the IERPCtl ActiveX control in ierpplug.dll.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow. CVE-2007-5601. Remote exploit for windows platform id EDB-ID:16497 last seen 2016-02-02 modified 2010-05-09 published 2010-05-09 reporter metasploit source https://www.exploit-db.com/download/16497/ title RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow description RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability. CVE-2007-5601. Remote exploit for windows plat... id EDB-ID:30692 last seen 2016-02-03 modified 2007-10-18 published 2007-10-18 reporter anonymous source https://www.exploit-db.com/download/30692/ title RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability
Metasploit
description | This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()" method, an attacker may be able to execute arbitrary code. |
id | MSF:EXPLOIT/WINDOWS/BROWSER/REALPLAYER_IMPORT |
last seen | 2020-03-10 |
modified | 2017-07-24 |
published | 2007-12-02 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5601 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/realplayer_import.rb |
title | RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow |
Nessus
NASL family | Windows |
NASL id | REALPLAYER_PLAYLIST_HANDLING_OVERFLOW.NASL |
description | The version of RealPlayer installed on the remote Windows host contains signedness error in its |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 27522 |
published | 2007-10-23 |
reporter | This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/27522 |
title | RealPlayer ActiveX (ierpplug.dll) Playlist Handling Buffer Overflow |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/83043/realplayer_import.rb.txt |
id | PACKETSTORM:83043 |
last seen | 2016-12-05 |
published | 2009-11-26 |
reporter | MC |
source | https://packetstormsecurity.com/files/83043/RealPlayer-ierpplug.dll-ActiveX-Control-Playlist-Name-Buffer-Overflow.html |
title | RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow |
Saint
bid | 26130 |
description | RealPlayer ActiveX control playlist name buffer overflow |
id | misc_realplayerax |
osvdb | 41430 |
title | realplayer_activex_playlist |
type | client |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 26130 CVE(CAN) ID: CVE-2007-5601 RealPlayer是一款流行的媒体播放器,支持多种媒体格式。 RealPlayer的MPAMedia.dll库所提供的RealPlayer数据库组件在处理播放列表名时存在栈溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。 由于可使用ierpplug.dll所提供的IERPCtl ActiveX控件将本地文件导入到RealPlayer中指定的播放列表,因此如果用户受骗访问了恶意网页并导入了恶意文件的话,就可以触发这个溢出,导致拒绝服务或执行任意指令。 Real Networks RealPlayer 11 Beta Real Networks RealPlayer 10.5 Real Networks RealPlayer 10 临时解决方法: 在IE中禁用IERPCtl ActiveX控件,为以下CLSID设置kill bit: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} 或将以下文本保存为.REG文件并导入: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}] "Compatibility Flags"=dword:00000400 厂商补丁: Real Networks ------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx" target="_blank">http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx</a> |
id | SSV:2323 |
last seen | 2017-11-19 |
modified | 2007-10-23 |
published | 2007-10-23 |
reporter | Root |
title | RealPlayer ierpplug.dll ActiveX控件播放列表名称栈溢出漏洞 |
Statements
contributor | Mark J Cox |
lastmodified | 2007-10-23 |
organization | Red Hat |
statement | Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 and 4 Extras or with Red Hat Enterprise Linux 5 Supplementary. |
References
- http://secunia.com/advisories/27248
- http://service.real.com/realplayer/security/191007_player/en/
- http://www.infosecblog.org/2007/10/nasa-bans-ie.html
- http://www.kb.cert.org/vuls/id/871673
- http://www.securityfocus.com/bid/26130
- http://www.securitytracker.com/id?1018843
- http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
- http://www.us-cert.gov/cas/techalerts/TA07-297A.html
- http://www.vupen.com/english/advisories/2007/3548
- https://exchange.xforce.ibmcloud.com/vulnerabilities/37280