CVE-2005-0455
published 2005-05-02CVE-2005-0455: Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10…
PriorityP348medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
53.99%
98.9th percentile
Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x08\xeb\x08 at offset 1068; SEH handler \x4a\xe1\xc9\x61 (WinXP pop/pop/ret) at offset 1072
- →The vulnerable function is CSmil1Parser::testAttributeFailed in smlparse.cpp; monitor for RealPlayer processing .SMIL files with oversized system-screen-size attribute values. ↗
- →Exploit delivery is browser-based: a web server responds with Content-Type text/html containing a link/redirect to a .smil URI; detect HTTP responses serving .smil content to RealPlayer user-agents. ↗
- →Payload bad-character set for this exploit excludes null bytes and common HTML/URL metacharacters; network signatures should look for long non-printable blobs inside system-screen-size SMIL attribute values. ↗
- →Local exploit writes a crafted .smil file with ~1700-byte overflow buffer containing NOP sled (0x90) and SEH overwrites; endpoint detection should flag RealPlayer spawning unexpected child processes or binding ports after opening a .smil file. ↗
- →The Metasploit module targets Windows 2000 and XP with specific return addresses; correlate crash/exception in RealPlayer process with EIP values 0x75022ac4 or 0x71aa2461. ↗
- ·The Metasploit module requires the URIPATH to end with '.smil' for the exploit to function correctly. ↗
- ·The Metasploit module was tested only against RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584; return addresses differ per OS/SP and are not universal. ↗
- ·The local SEH-overwrite exploit claims OS-universal coverage via multiple SEH handler addresses for XP, Win2k3, and Win2k, but author notes 'if you have a diff 2k3 then deal with it and write your own in'. ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2005-02-24·CVSS 5.1
CVE-2005-0455 [MEDIUM] security flaw
security flaw
Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value.
GHSA
GHSA-xc64-3j7c-vcc7: Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse
ghsa_unreviewed·2022-05-01
CVE-2005-0455 [MEDIUM] GHSA-xc64-3j7c-vcc7: Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse
Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value.
No detection rules found.
Exploit-DB
RealNetworks RealPlayer - '.SMIL' Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0455 RealNetworks RealPlayer - '.SMIL' Remote Buffer Overflow (Metasploit)
RealNetworks RealPlayer - '.SMIL' Remote Buffer Overflow (Metasploit)
---
##
# $Id: realplayer_smil.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealNetworks RealPlayer SMIL Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.
By creating a URL link to a malicious SMIL file, a remote attacker could
overflow a buffer and execute arbitrary code.
When using this module, be sure to set the URIPATH with an extension of '.smil'.
This module
Exploit-DB
RealNetworks RealPlayer 10 - '.smil' Local Buffer Overflow
exploitdb·2005-03-07
CVE-2005-0455 RealNetworks RealPlayer 10 - '.smil' Local Buffer Overflow
RealNetworks RealPlayer 10 - '.smil' Local Buffer Overflow
---
/* RealPlayer .smil file buffer overflow
Coded by nolimit@CiSO & Buzzdee
greets to COREiSO & #news & flare & class101 & ESI & RVL & everyone else I forget
This uses a seh overwrite method, which takes advantage of the SEH being placed
in multiple locations over the different OS's. Because of this, it should be
completely universal. :).
Also, we added SEH for enterprise and Standard, if you have a diff 2k3 then deal with it and write your own in.
C:\tools>nc -vv SERVER 1554
SERVER [192.168.1.93] 1554 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\Real\RealPlayer>
*/
#include
#include
#include
char pre[]=
"\n"
" \n"
" \n"
" \n"
" \n"
" \n"
" \n"
" "
"";
char ove
Metasploit
RealNetworks RealPlayer SMIL Buffer Overflow
metasploit
RealNetworks RealPlayer SMIL Buffer Overflow
RealNetworks RealPlayer SMIL Buffer Overflow
This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584.
Bugzilla
CVE-2005-0455 security flaw
bugzilla·2018-08-16·CVSS 5.1
CVE-2005-0455 [MEDIUM] CVE-2005-0455 security flaw
CVE-2005-0455 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value.
Bugzilla
HelixPlayer Vuln (CAN-2005-0455)
bugzilla·2005-03-02
[MEDIUM] HelixPlayer Vuln (CAN-2005-0455)
HelixPlayer Vuln (CAN-2005-0455)
RealPlayer is also vulnerable; waiting on final 1.0.3 upstream release.
+++ This bug was initially created as a clone of Bug #150048 +++
Description of problem:
A couple buffer overflows.
http://www.idefense.com/application/poi/display?id=209&type=vulnerabilities
http://service.real.com/help/faq/security/050224_player/EN/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0455
Version-Release number of selected component (if applicable):
HelixPlayer-1.0.1.gold-6.i386.rpm
Additional info:
HelixPlayer 1.0.2, with fixes for these exploits, is available at:
https://player.helixcommunity.org/2004/downloads/
Discussion:
Looks to me like there's a HelixPlayer erratum now:
https://rhn.redhat.com/errata/RHSA-2005-271.html
Should this bug be closed? (And
Bugzilla
HelixPlayer Vuln (CAN-2005-0455)
bugzilla·2005-03-01
[MEDIUM] HelixPlayer Vuln (CAN-2005-0455)
HelixPlayer Vuln (CAN-2005-0455)
Description of problem:
A couple buffer overflows.
http://www.idefense.com/application/poi/display?id=209&type=vulnerabilities
http://service.real.com/help/faq/security/050224_player/EN/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0455
Version-Release number of selected component (if applicable):
HelixPlayer-1.0.1.gold-6.i386.rpm
Additional info:
HelixPlayer 1.0.2, with fixes for these exploits, is available at:
https://player.helixcommunity.org/2004/downloads/
Discussion:
As far as I know 1.0.2 does not fix the issues; they are solved in a pending
1.0.3. Once that appears I'll upload it.
---
This was fixed in an FC3 update. Closing...
http://service.real.com/help/faq/security/050224_playerhttp://www.idefense.com/application/poi/display?id=209&type=vulnerabilitieshttp://www.redhat.com/support/errata/RHSA-2005-265.htmlhttp://www.redhat.com/support/errata/RHSA-2005-271.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10926http://service.real.com/help/faq/security/050224_playerhttp://www.idefense.com/application/poi/display?id=209&type=vulnerabilitieshttp://www.redhat.com/support/errata/RHSA-2005-265.htmlhttp://www.redhat.com/support/errata/RHSA-2005-271.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10926
2005-05-02
Published