RealNetworks RealPlayer Code Execution Vulnerability
RealPlayer is a closed source cross-platform media player by RealNetworks that plays a number of multimedia formats including MP3, MPEG-4, QuickTime, Windows Media, and multiple versions of proprietary RealAudio and RealVideo formats. The application can play media files from local file system or network servers.
RealPlayer can be bundled with ActiveX controls and plug-ins that implement various functions. One of the ActiveX controls called IERPPlugin, is linked to library ierpplug.dll. This control is associated with CLSID "FDC7A535-4070-4B92-A0EA-D9994BCC0DC5", and ProgID "IERPCtl.IERPCtl.1". This ActiveX control can be instantiated in a web page using the
obj = new ActiveXObject("IERPCtl.IERPCtl.1")
The ActiveX Control IERPPlugin exposes a set of methods and properties that allows for playing media from the HTML pages using the RealPlayer client. RecordClip(), one of the methods, invokes the RecordingManager.exe utility installed with RealPlayer. The syntax of this method is shown below:
RecordClip (String url, String mimeType, String clipInfo)
RecordingManager.exe, which is invoked by RecordClip(), is the Web Download and Recording Manager component of the RealPlayer. This component can be used to monitor, pause, or stop the media download progress. This executable accepts a URL to a media file as an argument. By default, RecordingManager switches are not accessible through the RecordClip() method of the IERPPlugin.
A code execution vulnerability exists in RealPlayer IERPPlugin ActiveX control. The vulnerability is due to improper validation of the url parameter passed to the RecordClip() method of the ActiveX Control. An attacker may leverage this vulnerability to download arbitrary files on any location on the target host.
SonicWALL UTM Research team has investigated this vulnerability and created the following IPS signature to detect/prevent the attacks addressing this issue:
- 6146 RealNetworks RealPlayer Injection Code Execution Attempt
This vulnerability is referred by CVE as CVE-2010-3749.