Vulnerabilities > CVE-2008-1309 - Resource Management Errors vulnerability in Realnetworks Realplayer 10.0/10.5/11

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
realnetworks
CWE-399
nessus
exploit available
metasploit
NVD
Published: 2008-03-12
Updated: 2024-11-21

Summary

The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.

Vulnerable Configurations

Part Description Count
Application
Realnetworks
4

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionReal Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit. CVE-2008-1309. Remote exploit for windows platform
    fileexploits/windows/remote/5332.html
    idEDB-ID:5332
    last seen2016-01-31
    modified2008-04-01
    platformwindows
    port
    published2008-04-01
    reporterElazar
    sourcehttps://www.exploit-db.com/download/5332/
    titleReal Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
    typeremote
  • descriptionRealPlayer rmoc3260.dll ActiveX Control Heap Corruption. CVE-2008-1309. Remote exploit for windows platform
    idEDB-ID:16584
    last seen2016-02-02
    modified2010-06-15
    published2010-06-15
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16584/
    titleRealPlayer rmoc3260.dll ActiveX Control Heap Corruption

Metasploit

descriptionThis module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
idMSF:EXPLOIT/WINDOWS/BROWSER/REALPLAYER_CONSOLE
last seen2020-03-15
modified2017-10-05
published2008-04-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/realplayer_console.rb
titleRealPlayer rmoc3260.dll ActiveX Control Heap Corruption

Nessus

  • NASL familyWindows
    NASL idREALPLAYER_6_0_14_806.NASL
    descriptionAccording to its build number, the installed version of RealPlayer / on the remote Windows host suffers from possibly several issues : - Heap memory corruption issues in several ActiveX controls can lead to arbitrary code execution. (CVE-2008-1309) - An unspecified local resource reference vulnerability. (CVE-2008-3064) - An SWF file heap-based buffer overflow. (CVE-2007-5400) - A buffer overflow involving the
    last seen2020-06-01
    modified2020-06-02
    plugin id33744
    published2008-07-28
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33744
    titleRealPlayer for Windows < Build 6.0.14.806 / 6.0.12.1675 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(33744);
  script_version("1.21");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2007-5400", "CVE-2008-1309", "CVE-2008-3064", "CVE-2008-3066");
  script_bugtraq_id(28157, 30370, 30376, 30378, 30379);
  script_xref(name:"Secunia", value:"27620");
  script_xref(name:"Secunia", value:"29315");

  script_name(english:"RealPlayer for Windows < Build 6.0.14.806 / 6.0.12.1675 Multiple Vulnerabilities");
  script_summary(english:"Checks RealPlayer build number");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote Windows application is affected by at least one security
vulnerability." );
  script_set_attribute(attribute:"description", value:
"According to its build number, the installed version of RealPlayer /
on the remote Windows host suffers from possibly several issues :

  - Heap memory corruption issues in several ActiveX 
    controls can lead to arbitrary code execution.
    (CVE-2008-1309)

  - An unspecified local resource reference vulnerability.
    (CVE-2008-3064)

  - An SWF file heap-based buffer overflow. (CVE-2007-5400)

  - A buffer overflow involving the 'import()' method in an
    ActiveX control implemented by the 'rjbdll.dll' module 
    could result in arbitrary code execution.
    (CVE-2008-3066)

Note that RealPlayer 11 (builds 6.0.14.738 - 6.0.14.802) are only affected
by the first issue (CVE-2008-1309)." );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Mar/156" );
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2007-93/advisory/" );
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-08-046/" );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/494778/30/0/threaded" );
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-08-047/" );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/494779/30/0/threaded" );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Jul/538" );
  script_set_attribute(attribute:"see_also", value:"http://service.real.com/realplayer/security/07252008_player/en/" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to RealPlayer 11.0.3 (build 6.0.14.806) / RealPlayer 10.5
(build 6.0.12.1675) or later. 

Note that the vendor's advisory states that build numbers for
RealPlayer 10.5 are not sequential." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
  script_cwe_id(119, 264, 399);
  script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/28");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:realnetworks:realplayer");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");

  script_dependencies("realplayer_detect.nasl");
  script_require_keys("SMB/RealPlayer/Product", "SMB/RealPlayer/Build");

  exit(0);
}


include("global_settings.inc");


prod = get_kb_item("SMB/RealPlayer/Product");
if (!prod) exit(0);


build = get_kb_item("SMB/RealPlayer/Build");
if (!build) exit(0);

ver = split(build, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);


vuln = FALSE;
if ("RealPlayer" == prod)
{
  # nb: build numbers ARE NOT NECESSARILY SEQUENTIAL!
  if (
    ver[0] < 6 ||
    (
      ver[0] == 6 && ver[1] == 0 && 
      (
        ver[2] < 12 ||
        (
          ver[2] == 12 && 
          (
            ver[3] <= 1663 ||
            ver[3] == 1698 ||
            ver[3] == 1741
          )
        ) ||
        (ver[2] == 14 && ver[3] < 806)
      )
    )
  ) vuln = TRUE;
}


if (vuln)
{
  if (report_verbosity)
  {
    report = string(
      "\n",
      prod, " build ", build, " is installed on the remote host.\n"
    );
    security_hole(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_hole(get_kb_item("SMB/transport"));
}
  • NASL familyWindows
    NASL idREALPLAYER_RMOC3260_ACTIVEX.NASL
    descriptionThe remote host contains the Real Player ActiveX control, included with the RealPlayer media player, used to play content in a browser. The version of this control installed on the remote host reportedly contains a buffer overflow that can be leveraged by calls to various methods, such as
    last seen2020-06-01
    modified2020-06-02
    plugin id31418
    published2008-03-12
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31418
    titleRealPlayer ActiveX (rmoc3260.dll) Console Property Memory Corruption Arbitrary Code Execution

Packetstorm

Statements

contributorMark J Cox
lastmodified2008-03-18
organizationRed Hat
statementNot vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary.

References