cbcvebase.
CVE-2005-2710
published 2005-09-27

CVE-2005-2710: Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat…

PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
13.18%
95.9th percentile
Format string vulnerability in Real HelixPlayer and RealPlayer 10 allows remote attackers to execute arbitrary code via the (1) image handle or (2) timeformat attribute in a RealPix (.rp) or RealText (.rt) file.

Affected

1 ranges
VendorProductVersion rangeFixed in
realnetworksrealplayer

Detection & IOCsextracted from sources · hover to see the quote

filename*.rp
filename*.rt
port4444
path/usr/local/RealPlayer/realplay
processrealplay.bin
  • The exploit triggers the format string vulnerability via the 'image' handle or 'timeformat' attribute inside a crafted .rp (RealPix) or .rt (RealText) file delivered remotely (e.g., via a web link). Monitor RealPlayer/HelixPlayer processes opening .rp or .rt files from remote/untrusted sources.
  • The exploit spawns a bind shell on TCP port 4444 using embedded shellcode. Detect outbound or inbound connections to/from port 4444 originating from realplay or realplay.bin processes.
  • Shellcode is heap-mapped in the address range 0x0822****–0x082f**** during exploitation. Memory forensics or debugger-based detection can look for executable shellcode in this heap region within the RealPlayer process.
  • The exploit uses a format string payload embedded in the 'timeformat' XML attribute of the .rp file (fprintf with %N$n-style specifiers). Inspect .rp/.rt files for format string tokens (e.g., %n, %x, %hn) inside XML attributes.
  • The exploit uses /bin/nc (netcat) to connect back to the spawned shell. Detect child processes of realplay/realplay.bin spawning /bin/nc or /bin/sh.
  • ·The exploit's EBP-overwrite trampoline technique relies on the crafted .rp filename being stored in an environment variable at a predictable stack location. The author notes this is not stable: 'this is not a stable method as the user can freely manipulate their environment'.
  • ·The POC was tested specifically on Debian 3.1 with RealPlayer installed at /usr/local/RealPlayer. Different installation paths or distributions may require adjustments to VULN path and stack pop count (STACKPOP=148).
  • ·The shellcode heap mapping range (0x0822****–0x082f****) is specific to the tested environment; ASLR or differing heap layouts on other systems will shift this range.

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.