RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution

Added: 10/22/2010
CVE: CVE-2010-3747
BID: 44144
OSVDB: 68673

Background

RealPlayer and RealOne Player include a number of ActiveX controls allowing functions to be called by scripts embedded in web pages.

Problem

CDDA (cdda://) is a protocol used to locate media files on Compact Disc Digital Audio. The Source property of the ActiveX control with ProgID rmocx.RealPlayer G2 Control.1 in rmoc3260.dll is used to specify the URI of the location of a media file via URIs based on pnm:, file:, or http: protocols, not cdda:. By setting the Source property to a CDDA URI, an attacker can cause code to be executed from an uninitialized pointer, and a long enough CDDA URI can control the value of the uninitialized pointer, thereby allowing remote code execution in the security context of the currently logged on user.

Resolution

See the RealNetworks advisory for fix information.

References

http://www.zerodayinitiative.com/advisories/ZDI-10-210/

Limitations

Exploit works on RealNetworks Realplayer 11.1.1 and requires the user to open the exploit page using Internet Explorer 6 or 7.

Platforms

Windows

Back to exploit index