CVE-2006-0323
published 2006-03-23CVE-2006-0323: Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
16.74%
96.6th percentile
Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a size value that is less than the actual size, or (2) other unspecified manipulations.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | rhapsody | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x46\x57\x53\x05\xCF\x00\x00\x00\x60
- →The malicious SWF file is crafted with a size value in the header that is less than the actual file size, triggering the buffer overflow in swfformat.dll/swfformat.so during parsing. ↗
- →The PoC SWF exploit file begins with the magic bytes 46 57 53 (ASCII 'FWS') followed by version byte 0x05 and a deliberately undersized length field 0xCF 0x00 0x00 0x00. Detecting SWF files where the declared size field is smaller than the actual file size is a reliable trigger indicator. ↗
- →The exploit payload uses a NOP sled of 135 bytes (0x90 repeated) inserted between the SWF header and the end-header block. Presence of a large NOP sled inside a SWF file body is a strong shellcode indicator. ↗
- →The crash/exploitation occurs inside the CanUnload2 function of swfformat.so (Linux) / swfformat.dll (Windows). Monitor for crashes or unexpected code execution originating from these modules. ↗
- ·Affected products span multiple RealNetworks product lines; patching scope should cover all listed products. ↗
- ·The vulnerability exists in both the Windows DLL (swfformat.dll) and the Linux shared object (swfformat.so), so detection and patching must cover both platforms. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmx3-qq55-47x6: Buffer overflow in swfformat
ghsa_unreviewed·2022-05-01
CVE-2006-0323 [HIGH] CWE-119 GHSA-cmx3-qq55-47x6: Buffer overflow in swfformat
Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a size value that is less than the actual size, or (2) other unspecified manipulations.
Red Hat
security flaw
vendor_redhat·2006-03-22·CVSS 9.3
CVE-2006-0323 [CRITICAL] security flaw
security flaw
Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a size value that is less than the actual size, or (2) other unspecified manipulations.
No detection rules found.
Exploit-DB
RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)
exploitdb·2006-03-28·CVSS 9.3
CVE-2006-0323 [CRITICAL] RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)
RealPlayer 10.5 (6.0.12.1040-1348) - SWF Buffer Overflow (PoC)
---
#!/usr/bin/perl
###################################################
# RealPlayer: Buffer overflow vulnerability / PoC
#
# CVE-2006-0323
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323
#
# RealNetworks Advisory
# http://service.real.com/realplayer/security/03162006_player/en/
#
# Federico L. Bossi Bonin
# fbossi[at]netcomm.com.ar
###################################################
# Program received signal SIGSEGV, Segmentation fault.
# [Switching to Thread -1218976064 (LWP 21932)]
# 0xb502eeaf in CanUnload2 () from ./plugins/swfformat.so
my $EGGFILE="egg.swf";
my $header="\x46\x57\x53\x05\xCF\x00\x00\x00\x60";
my $endheader="\x19\xe4\x7d\x1c\xaf\xa3\x92\x0c\x72\xc1\x80\x00\xa2\x08\x01".
"\x00\x00\x00\x00\
Exploit-DB
RealNetworks (Multiple Products) - Multiple Buffer Overflow Vulnerabilities
exploitdb·2006-03-23·CVSS 9.3
CVE-2006-0323 [CRITICAL] RealNetworks (Multiple Products) - Multiple Buffer Overflow Vulnerabilities
RealNetworks (Multiple Products) - Multiple Buffer Overflow Vulnerabilities
---
source: https://www.securityfocus.com/bid/17202/info
Various RealNetworks products are prone to multiple buffer-overflow vulnerabilities.
These issues can result in memory corruption and facilitate arbitrary code execution. A successful attack can allow remote attackers to execute arbitrary code in the context of the application to gain unauthorized access.
#!/usr/bin/perl
###################################################
# RealPlayer: Buffer overflow vulnerability / PoC
#
# CVE-2006-0323
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323
#
# RealNetworks Advisory
# http://service.real.com/realplayer/security/03162006_player/en/
#
# Federico L. Bossi Bonin
# fbossi[at]netcomm.com.ar
##########
Bugzilla
CVE-2006-0323 security flaw
bugzilla·2018-08-16·CVSS 9.3
CVE-2006-0323 [CRITICAL] CVE-2006-0323 security flaw
CVE-2006-0323 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a size value that is less than the actual size, or (2) other unspecified manipulations.
Bugzilla
CVE-2006-0323 RealPlayer SWF file buffer overflow
bugzilla·2006-03-03·CVSS 9.3
CVE-2006-0323 [CRITICAL] CVE-2006-0323 RealPlayer SWF file buffer overflow
CVE-2006-0323 RealPlayer SWF file buffer overflow
Playing a maliciously fashioned swf file (flash media) could cause a buffer
overrun and crash.
Discussion:
This issue should also affect RHEL3
---
embargo moved by Real to March 16th
---
embargo moved by Real to March 20th
---
This issue is public:
http://service.real.com/realplayer/security/03162006_player/en/
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0257.html
http://secunia.com/advisories/19358http://secunia.com/advisories/19362http://secunia.com/advisories/19365http://secunia.com/advisories/19390http://securityreason.com/securityalert/690http://securitytracker.com/id?1015806http://www.gentoo.org/security/en/glsa/glsa-200603-24.xmlhttp://www.kb.cert.org/vuls/id/231028http://www.novell.com/linux/security/advisories/2006_18_realplayer.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0257.htmlhttp://www.securityfocus.com/archive/1/430621/100/0/threadedhttp://www.securityfocus.com/bid/17202http://www.service.real.com/realplayer/security/03162006_player/en/http://www.vupen.com/english/advisories/2006/1057https://exchange.xforce.ibmcloud.com/vulnerabilities/25408http://secunia.com/advisories/19358http://secunia.com/advisories/19362http://secunia.com/advisories/19365http://secunia.com/advisories/19390http://securityreason.com/securityalert/690http://securitytracker.com/id?1015806http://www.gentoo.org/security/en/glsa/glsa-200603-24.xmlhttp://www.kb.cert.org/vuls/id/231028http://www.novell.com/linux/security/advisories/2006_18_realplayer.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0257.htmlhttp://www.securityfocus.com/archive/1/430621/100/0/threadedhttp://www.securityfocus.com/bid/17202http://www.service.real.com/realplayer/security/03162006_player/en/http://www.vupen.com/english/advisories/2006/1057https://exchange.xforce.ibmcloud.com/vulnerabilities/25408
2006-03-23
Published