cbcvebase.
CVE-2006-0323
published 2006-03-23

CVE-2006-0323: Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
16.74%
96.6th percentile
Buffer overflow in swfformat.dll in multiple RealNetworks products and versions including RealPlayer 10.x, RealOne Player, Rhapsody 3, and Helix Player allows remote attackers to execute arbitrary code via a crafted SWF (Flash) file with (1) a size value that is less than the actual size, or (2) other unspecified manipulations.

Affected

4 ranges
VendorProductVersion rangeFixed in
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrhapsody

Detection & IOCsextracted from sources · hover to see the quote

filenameswfformat.dll
filenameswfformat.so
filenameegg.swf
path./plugins/swfformat.so
bytes
\x46\x57\x53\x05\xCF\x00\x00\x00\x60
  • The malicious SWF file is crafted with a size value in the header that is less than the actual file size, triggering the buffer overflow in swfformat.dll/swfformat.so during parsing.
  • The PoC SWF exploit file begins with the magic bytes 46 57 53 (ASCII 'FWS') followed by version byte 0x05 and a deliberately undersized length field 0xCF 0x00 0x00 0x00. Detecting SWF files where the declared size field is smaller than the actual file size is a reliable trigger indicator.
  • The exploit payload uses a NOP sled of 135 bytes (0x90 repeated) inserted between the SWF header and the end-header block. Presence of a large NOP sled inside a SWF file body is a strong shellcode indicator.
  • The crash/exploitation occurs inside the CanUnload2 function of swfformat.so (Linux) / swfformat.dll (Windows). Monitor for crashes or unexpected code execution originating from these modules.
  • ·Affected products span multiple RealNetworks product lines; patching scope should cover all listed products.
  • ·The vulnerability exists in both the Windows DLL (swfformat.dll) and the Linux shared object (swfformat.so), so detection and patching must cover both platforms.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.