CVE-2007-5601
published 2007-10-20CVE-2007-5601: Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne…
PriorityP271critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.37%
98.5th percentile
Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne Player, and RealOne Player 2, allows remote attackers to execute arbitrary code via certain playlist names, as demonstrated via the import method to the IERPCtl ActiveX control in ierpplug.dll.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%75%06%74%04
- →Monitor for instantiation of the IERPCtl ActiveX control (ProgID: IERPCtl.IERPCtl.1) from within Internet Explorer, particularly on Windows NT 5.x (XP/2003) targets. ↗
- →Detect calls to the Import() method of the IERPCtl ActiveX control with an excessively long second argument (playlist name), specifically strings exceeding 4756–4768 characters. ↗
- →Alert on web pages that create an ActiveXObject for RealPlayer and invoke Import() with a string argument of 30000+ characters, consistent with SEH-based stack overflow exploitation. ↗
- →Exploit targets are limited to Internet Explorer on Windows NT 5.x (XP/2003); filter for user-agent strings containing 'msie 6' or 'msie 7' combined with 'nt 5.' when hunting for exploit delivery pages. ↗
- →Look for the RET addresses 0x601aa72b and 0x614bd13b (from rpmn3260.dll) appearing in memory or network payloads as indicators of this specific exploit being used. ↗
- ·Red Hat Enterprise Linux 3, 4 Extras, and 5 Supplementary are confirmed not affected; detection efforts should focus on Windows platforms running RealOne Player V2 (6.0.11.853) or RealPlayer 10.5 (6.0.12.1483). ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gg6r-73rm-mqpm: Stack-based buffer overflow in the Database Component in MPAMedia
ghsa_unreviewed·2022-05-01
CVE-2007-5601 [HIGH] CWE-119 GHSA-gg6r-73rm-mqpm: Stack-based buffer overflow in the Database Component in MPAMedia
Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne Player, and RealOne Player 2, allows remote attackers to execute arbitrary code via certain playlist names, as demonstrated via the import method to the IERPCtl ActiveX control in ierpplug.dll.
VulnCheck
realnetworks realplayer Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 9.3
CVE-2007-5601 [CRITICAL] realnetworks realplayer Improper Restriction of Operations within the Bounds of a Memory Buffer
realnetworks realplayer Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne Player, and RealOne Player 2, allows remote attackers to execute arbitrary code via certain playlist names, as demonstrated via the import method to the IERPCtl ActiveX control in ierpplug.dll.
Affected: realnetworks realplayer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/; https://betanews.com/2008/05/19/t
Red Hat
CVE-2007-5601: Stack-based buffer overflow in the Database Component in MPAMedia
vendor_redhat·CVSS 9.3
CVE-2007-5601 [CRITICAL] CVE-2007-5601: Stack-based buffer overflow in the Database Component in MPAMedia
Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne Player, and RealOne Player 2, allows remote attackers to execute arbitrary code via certain playlist names, as demonstrated via the import method to the IERPCtl ActiveX control in ierpplug.dll.
Statement: Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 and 4 Extras or with Red Hat Enterprise Linux 5 Supplementary.
No detection rules found.
Exploit-DB
RealPlayer - 'ierpplug.dll' ActiveX Control Playlist Name Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5601 RealPlayer - 'ierpplug.dll' ActiveX Control Playlist Name Buffer Overflow (Metasploit)
RealPlayer - 'ierpplug.dll' ActiveX Control Playlist Name Buffer Overflow (Metasploit)
---
##
# $Id: realplayer_import.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and
RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()"
method, an attacker may be able to execute arbitrary code.
},
'License'
Exploit-DB
RealPlayer 10.0/10.5/11 - 'ierpplug.dll' ActiveX Control Import Playlist Name Stack Buffer Overflow
exploitdb·2007-10-18
CVE-2007-5601 RealPlayer 10.0/10.5/11 - 'ierpplug.dll' ActiveX Control Import Playlist Name Stack Buffer Overflow
RealPlayer 10.0/10.5/11 - 'ierpplug.dll' ActiveX Control Import Playlist Name Stack Buffer Overflow
---
source: https://www.securityfocus.com/bid/26130/info
RealPlayer is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.
Attackers can exploit this issue to execute arbitrary code in the context of the application using the affected control (typically Internet Explorer). Successful attacks can compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.
eval("function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7"
Metasploit
RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow
metasploit
RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow
RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow
This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()" method, an attacker may be able to execute arbitrary code.
http://secunia.com/advisories/27248http://service.real.com/realplayer/security/191007_player/en/http://www.infosecblog.org/2007/10/nasa-bans-ie.htmlhttp://www.kb.cert.org/vuls/id/871673http://www.securityfocus.com/bid/26130http://www.securitytracker.com/id?1018843http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-297A.htmlhttp://www.vupen.com/english/advisories/2007/3548https://exchange.xforce.ibmcloud.com/vulnerabilities/37280http://secunia.com/advisories/27248http://service.real.com/realplayer/security/191007_player/en/http://www.infosecblog.org/2007/10/nasa-bans-ie.htmlhttp://www.kb.cert.org/vuls/id/871673http://www.securityfocus.com/bid/26130http://www.securitytracker.com/id?1018843http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-297A.htmlhttp://www.vupen.com/english/advisories/2007/3548https://exchange.xforce.ibmcloud.com/vulnerabilities/37280
2007-10-20
Published
Exploited in the wild