Vulnerabilities > CVE-2011-0694 - Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
realnetworks
critical
nessus

Summary

RealNetworks RealPlayer 11.0 through 11.1, SP 1.0 through 1.1.5, and 14.0.0 through 14.0.1, and Enterprise 2.0 through 2.1.4, uses predictable names for temporary files, which allows remote attackers to conduct cross-domain scripting attacks and execute arbitrary code via the OpenURLinPlayerBrowser function.

Nessus

NASL familyWindows
NASL idREALPLAYER_12_0_1_633.NASL
descriptionAccording to its build number, the installed version of RealPlayer on the remote Windows host is affected by multiple code execution vulnerabilities : - A heap corruption vulnerability when processing AVI headers. (CVE-2010-4393) - A flaw exists in the temporary file naming scheme used for storage which can be combined with the OpenURLinPlayerBrowser function to execute arbitrary code. (CVE-2011-0694)
last seen2020-06-01
modified2020-06-02
plugin id51814
published2011-01-28
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/51814
titleRealPlayer for Windows < Build 12.0.1.633 Multiple Remote Code Execution Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(51814);
  script_version("1.12");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2010-4393", "CVE-2011-0694");

  script_bugtraq_id(46047, 46285);
  script_xref(name:"Secunia", value:"43098");
  script_xref(name:"Secunia", value:"43268");

  script_name(english:"RealPlayer for Windows < Build 12.0.1.633 Multiple Remote Code Execution Vulnerabilities");
  script_summary(english:"Checks RealPlayer build number.");

  script_set_attribute(attribute:"synopsis", value:
"A multimedia application on the remote Windows host can be abused to
execute arbitrary code.");

  script_set_attribute(attribute:"description", value:
"According to its build number, the installed version of RealPlayer on
the remote Windows host is affected by multiple code execution 
vulnerabilities :

  - A heap corruption vulnerability when processing AVI 
    headers. (CVE-2010-4393)

  - A flaw exists in the temporary file naming scheme used
    for storage which can be combined with the 
    OpenURLinPlayerBrowser function to execute arbitrary
    code. (CVE-2011-0694)");

  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-033/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-076/");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2011/Jan/518");
  script_set_attribute(attribute:"see_also", value:"http://service.real.com/realplayer/security/01272011_player/en/");
  script_set_attribute(attribute:"see_also", value:"http://service.real.com/realplayer/security/02082011_player/en/");
  script_set_attribute(attribute:"solution", value:"Upgrade to RealPlayer 14.0.2.633 (Build 12.0.1.633) or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
  
  script_set_attribute(attribute:"vuln_publication_date", value:"2011/01/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/01/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/28");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:realnetworks:realplayer");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  
  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("realplayer_detect.nasl");
  script_require_keys("SMB/RealPlayer/Product", "SMB/RealPlayer/Build");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

prod = get_kb_item_or_exit("SMB/RealPlayer/Product");
build = get_kb_item_or_exit("SMB/RealPlayer/Build");
path = get_kb_item("SMB/RealPlayer/Path");
version = get_kb_item("SMB/RealPlayer/Version");

vuln = FALSE;
if ("RealPlayer" == prod)
{
  if (ver_compare(ver:build, fix:'12.0.1.633') == -1) vuln = TRUE;
}
else if ("RealPlayer SP" == prod)
{
  # Check for all versions of RealPlayer SP up to and including 12.0.0.879 (version 1.1.5)
  if (build =~ '^12\\.0\\.0\\..*' && ver_compare(ver:build, fix:'12.0.0.879') <= 0) vuln = TRUE;
}
else exit(0, 'Neither RealPlayer nor RealPlayer SP was detected on the remote host.');

if (vuln)
{
  if (report_verbosity > 0)
  {
    report = 
      '\n  Product           : ' + prod +
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version + 
      '\n  Installed build   : ' + build +
      '\n  Fix               : RealPlayer Build 12.0.1.633\n';
    security_hole(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_hole(get_kb_item("SMB/transport"));
  exit(0);
}
else exit(0, 'The host is not affected because '+prod+' build '+build+' is installed.');