Real Networks RealPlayer < 14.0.6.666 (Build 12.0.1.666) Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 6455

Synopsis

The remote host is running an application that is vulnerable to multiple attack vectors.

Description

The remote host is running an application that is vulnerable to multiple attack vectors.

The remote host is running RealPlayer, a multi-media application.

RealPlayer builds earlier than 12.0.1.666 are potentially affected by multiple code execution vulnerabilities :

- A heap based buffer overflow vulnerability exits within qcpfformat.dll file, which only creates a static 256 byte allocation on the heap. This can be abused by a remote attacker to execute arbitrary code running in the context of the web browser. (CVE-2011-2950)

- A flaw exists due to RealPlayer allowing users to run local HTML files with scripting enabled without any warning. Attackers can exploit this issue to execute arbitrary code within the context of the application(typically Internet Explorer) that uses the ActiveX control. (CVE-2011-2947)

- A memory-corruption vulnerability exist due to an use-after-free condition that affects "Embedded AutoUpdate." Successful exploit will allow remote attackers to execute arbitrary code within the context of the affected application. (CVE-2011-2954)

- A remote buffer-overflow vulnerability exists due to the software failing to perform adequate boundary-checks on user-supplied data. Successful exploit allow attackers to execute arbitrary code in the context of the vulnerable applications. (CVE-2011-2951)

- A remote code-execution vulnerability exists when handling 'DEFINEFONT' fields in Flash files. Successful exploit will allow remote attackers to execute arbitrary code within the context of the affected application. (CVE-2011-2948)

- A remote code-execution vulnerability exist in the way the application uses 'WideCharToMultiByte' call, resulting in a heap-based buffer overflow. Successful exploit will allow remote attackers to execute arbitrary code within the context of the affected application. (CVE-2011-2949)

- A memory-corruption vulnerability exists due to an use-after-free condition, particularly affects the dialogue box. Successful exploit will allow remote attackers to execute arbitrary code within the context of the affected application. (CVE-2011-2952)

\ - A memory-corruption vulnerability exists due to an use-after-free condition, particularly affects the Embedded Modal Dialog. Successful exploit will allow remote attackers to execute arbitrary code within the context of the affected application. (CVE-2011-2955)

- A cross-zone scripting vulnerability exists due to the fact that the RealPlayer ActiveX control allows users to run local HTML files with scripting enabled without providing any warning. Attackers can exploit this issue to execute arbitrary code within the context of the application(typically Internet Explorer) that uses the ActiveX Control. (CVE-2011-121)

Solution

Upgrade to RealPlayer 14.0.6 (Build 12.0.1.666) or later.

See Also

http://www.zerodayinitiative.com/advisories/ZDI-11-265

http://www.zerodayinitiative.com/advisories/ZDI-11-269

http://www.zerodayinitiative.com/advisories/ZDI-11-266

http://www.zerodayinitiative.com/advisories/ZDI-11-268

http://www.zerodayinitiative.com/advisories/ZDI-11-267

http://service.real.com/realplayer/security/08162011_player/en

Plugin Details

Severity: High

ID: 6455

Family: Web Clients

Published: 2012/04/16

Modified: 2016/02/05

Dependencies: 1735, 8314

Nessus ID: 55908

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 8.6

Temporal Score: 7.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:realnetworks:realplayer

Patch Publication Date: 2011/08/17

Vulnerability Publication Date: 2011/08/16

Exploitable With

Metasploit (windows/browser/realplayer_qcp.rb)

Reference Information

CVE: CVE-2011-2950, CVE-2011-2947, CVE-2011-2954, CVE-2011-2951, CVE-2011-2948, CVE-2011-2949, CVE-2011-2952, CVE-2011-2955, CVE-2011-1221

BID: 49172, 49173, 49174, 49175, 49178, 49195, 49198, 49199, 49996