Vulnerabilities > CVE-2008-1309 - Resource Management Errors vulnerability in Realnetworks Realplayer 10.0/10.5/11
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Exploit-Db
description Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit. CVE-2008-1309. Remote exploit for windows platform file exploits/windows/remote/5332.html id EDB-ID:5332 last seen 2016-01-31 modified 2008-04-01 platform windows port published 2008-04-01 reporter Elazar source https://www.exploit-db.com/download/5332/ title Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit type remote description RealPlayer rmoc3260.dll ActiveX Control Heap Corruption. CVE-2008-1309. Remote exploit for windows platform id EDB-ID:16584 last seen 2016-02-02 modified 2010-06-15 published 2010-06-15 reporter metasploit source https://www.exploit-db.com/download/16584/ title RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
Metasploit
| description | This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code. |
| id | MSF:EXPLOIT/WINDOWS/BROWSER/REALPLAYER_CONSOLE |
| last seen | 2020-03-15 |
| modified | 2017-10-05 |
| published | 2008-04-01 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/realplayer_console.rb |
| title | RealPlayer rmoc3260.dll ActiveX Control Heap Corruption |
Nessus
NASL family Windows NASL id REALPLAYER_6_0_14_806.NASL description According to its build number, the installed version of RealPlayer / on the remote Windows host suffers from possibly several issues : - Heap memory corruption issues in several ActiveX controls can lead to arbitrary code execution. (CVE-2008-1309) - An unspecified local resource reference vulnerability. (CVE-2008-3064) - An SWF file heap-based buffer overflow. (CVE-2007-5400) - A buffer overflow involving the last seen 2020-06-01 modified 2020-06-02 plugin id 33744 published 2008-07-28 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33744 title RealPlayer for Windows < Build 6.0.14.806 / 6.0.12.1675 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(33744); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2007-5400", "CVE-2008-1309", "CVE-2008-3064", "CVE-2008-3066"); script_bugtraq_id(28157, 30370, 30376, 30378, 30379); script_xref(name:"Secunia", value:"27620"); script_xref(name:"Secunia", value:"29315"); script_name(english:"RealPlayer for Windows < Build 6.0.14.806 / 6.0.12.1675 Multiple Vulnerabilities"); script_summary(english:"Checks RealPlayer build number"); script_set_attribute(attribute:"synopsis", value: "The remote Windows application is affected by at least one security vulnerability." ); script_set_attribute(attribute:"description", value: "According to its build number, the installed version of RealPlayer / on the remote Windows host suffers from possibly several issues : - Heap memory corruption issues in several ActiveX controls can lead to arbitrary code execution. (CVE-2008-1309) - An unspecified local resource reference vulnerability. (CVE-2008-3064) - An SWF file heap-based buffer overflow. (CVE-2007-5400) - A buffer overflow involving the 'import()' method in an ActiveX control implemented by the 'rjbdll.dll' module could result in arbitrary code execution. (CVE-2008-3066) Note that RealPlayer 11 (builds 6.0.14.738 - 6.0.14.802) are only affected by the first issue (CVE-2008-1309)." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Mar/156" ); script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2007-93/advisory/" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-08-046/" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/494778/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-08-047/" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/494779/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Jul/538" ); script_set_attribute(attribute:"see_also", value:"http://service.real.com/realplayer/security/07252008_player/en/" ); script_set_attribute(attribute:"solution", value: "Upgrade to RealPlayer 11.0.3 (build 6.0.14.806) / RealPlayer 10.5 (build 6.0.12.1675) or later. Note that the vendor's advisory states that build numbers for RealPlayer 10.5 are not sequential." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119, 264, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:realnetworks:realplayer"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("realplayer_detect.nasl"); script_require_keys("SMB/RealPlayer/Product", "SMB/RealPlayer/Build"); exit(0); } include("global_settings.inc"); prod = get_kb_item("SMB/RealPlayer/Product"); if (!prod) exit(0); build = get_kb_item("SMB/RealPlayer/Build"); if (!build) exit(0); ver = split(build, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); vuln = FALSE; if ("RealPlayer" == prod) { # nb: build numbers ARE NOT NECESSARILY SEQUENTIAL! if ( ver[0] < 6 || ( ver[0] == 6 && ver[1] == 0 && ( ver[2] < 12 || ( ver[2] == 12 && ( ver[3] <= 1663 || ver[3] == 1698 || ver[3] == 1741 ) ) || (ver[2] == 14 && ver[3] < 806) ) ) ) vuln = TRUE; } if (vuln) { if (report_verbosity) { report = string( "\n", prod, " build ", build, " is installed on the remote host.\n" ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); }NASL family Windows NASL id REALPLAYER_RMOC3260_ACTIVEX.NASL description The remote host contains the Real Player ActiveX control, included with the RealPlayer media player, used to play content in a browser. The version of this control installed on the remote host reportedly contains a buffer overflow that can be leveraged by calls to various methods, such as last seen 2020-06-01 modified 2020-06-02 plugin id 31418 published 2008-03-12 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31418 title RealPlayer ActiveX (rmoc3260.dll) Console Property Memory Corruption Arbitrary Code Execution
Packetstorm
data source https://packetstormsecurity.com/files/download/65090/realplayer_console.rb.txt id PACKETSTORM:65090 last seen 2016-12-05 published 2008-04-02 reporter Elazar Broad source https://packetstormsecurity.com/files/65090/realplayer_console.rb.txt.html title realplayer_console.rb.txt data source https://packetstormsecurity.com/files/download/65089/realplayer-activexexec.txt id PACKETSTORM:65089 last seen 2016-12-05 published 2008-04-02 reporter Elazar Broad source https://packetstormsecurity.com/files/65089/realplayer-activexexec.txt.html title realplayer-activexexec.txt
Statements
| contributor | Mark J Cox |
| lastmodified | 2008-03-18 |
| organization | Red Hat |
| statement | Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary. |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060659.html
- http://secunia.com/advisories/29315
- http://service.real.com/realplayer/security/07252008_player/en/
- http://www.kb.cert.org/vuls/id/831457
- http://www.securityfocus.com/archive/1/494779/100/0/threaded
- http://www.securityfocus.com/bid/28157
- http://www.securitytracker.com/id?1019576
- http://www.securitytracker.com/id?1020563
- http://www.vupen.com/english/advisories/2008/0842
- http://www.vupen.com/english/advisories/2008/2194/references
- http://www.zerodayinitiative.com/advisories/ZDI-08-047/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41087
- https://www.exploit-db.com/exploits/5332