RealNetworks RealPlayer ActiveX Playlist Buffer Overflow

Windows systems with

• RealOne Player
• RealOne Player v2
• RealPlayer 10
• RealPlayer 10.5
• RealPlayer 11 beta

RealNetworks RealPlayer client for Microsoft Windows contains a stack buffer overflow in the playlist paramater passed to the client by an ActiveX control. This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code using a specially crafted web page or HTML email message.

RealNetworks RealPlayer is a multimedia application that allows users to view local and remote audio and video content. RealPlayer for Microsoft Windows includes the IERPCtl ActiveX control, which can be used with Internet Explorer to import a local file into a playlist. RealPlayer does not adequately validate the playlist parameter passed from the ActiveX control, resulting in a stack buffer overflow vulnerability. The IERPCtl ActiveX control is present in RealOne Player and later versions.

RealNetworks has released a patch for this vulnerability as described in RealPlayer Security Vulnerability. There are public reports that this vulnerability is being actively exploited.

This vulnerability can be exploited using the IERPCtl ActiveX control, which effectively means that only Windows Internet Explorer users are affected. The ActiveX control was introduced in RealOne Player, so Windows versions of RealPlayer 8 and earlier are not affected. Macintosh and Linux versions of RealPlayer are not affected.

Impact

By convincing a user to view a specially crafted HTML document or HTML mail message, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. Note that the RealPlayer software does not need to be running for this vulnerability to be exploited.

For more information, please see US-CERT Vulnerability Note VU#871673.

Solution

Upgrade and apply a patch

See RealPlayer Security Vulnerability for information about upgrading and patching RealPlayer. RealPlayer 10.5 and RealPlayer 11 beta users should install the patch specified in the RealNetworks document. RealOne Player, RealOne Player v2, and RealPlayer 10 users should upgrade to RealPlayer 10.5 or RealPlayer 11 beta and install the patch.

Disable the IERPCtl ActiveX control

Disable the IERPCtl ActiveX control by setting the kill bit for the following CLSID:

{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved with a .reg file and imported into the Windows registry:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]

"Compatibility Flags"=dword:00000400

Disable ActiveX

Disabling ActiveX in the Internet Zone (or any zone used by an attacker) reduces the chances of exploitation of this and other vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in Securing Your Web Browser.

Appendix A. Vendor Information

RealNetworks

For information about updating RealPlayer, see RealPlayer Security Vulnerability and Security Update for Real Player.

Appendix B. References

• Customer Support - Real Security Updates - <http://service.real.com/realplayer/security/191007_player/en/>
• Security Update for RealPlayer - <http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>
• US-CERT Vulnerability Note VU#871673 -
  <http://www.kb.cert.org/vuls/id/871673>
• Securing Your Web Browser -
  <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

Feedback can be directed to US-CERT Technical Staff.

Produced by US-CERT, a government organization. Terms of use

Revision History

• October 24, 2007: Initial release