cbcvebase.
CVE-2007-5601
published 2007-10-20

CVE-2007-5601: Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne…

PriorityP271critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.37%
98.5th percentile
Stack-based buffer overflow in the Database Component in MPAMedia.dll in RealNetworks RealPlayer 10.5 and 11 beta, and earlier versions including 10, RealOne Player, and RealOne Player 2, allows remote attackers to execute arbitrary code via certain playlist names, as demonstrated via the import method to the IERPCtl ActiveX control in ierpplug.dll.

Affected

3 ranges
VendorProductVersion rangeFixed in
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer

Detection & IOCsextracted from sources · hover to see the quote

filenameMPAMedia.dll
filenameierpplug.dll
otherIERPCtl.IERPCtl.1
commandImport("Firstrun\\audio.rm", <overly_long_string>, "", 0, 0)
other0x601aa72b
other0x614bd13b
filenamerpmn3260.dll
bytes
%75%06%74%04
  • Monitor for instantiation of the IERPCtl ActiveX control (ProgID: IERPCtl.IERPCtl.1) from within Internet Explorer, particularly on Windows NT 5.x (XP/2003) targets.
  • Detect calls to the Import() method of the IERPCtl ActiveX control with an excessively long second argument (playlist name), specifically strings exceeding 4756–4768 characters.
  • Alert on web pages that create an ActiveXObject for RealPlayer and invoke Import() with a string argument of 30000+ characters, consistent with SEH-based stack overflow exploitation.
  • Exploit targets are limited to Internet Explorer on Windows NT 5.x (XP/2003); filter for user-agent strings containing 'msie 6' or 'msie 7' combined with 'nt 5.' when hunting for exploit delivery pages.
  • Look for the RET addresses 0x601aa72b and 0x614bd13b (from rpmn3260.dll) appearing in memory or network payloads as indicators of this specific exploit being used.
  • ·Red Hat Enterprise Linux 3, 4 Extras, and 5 Supplementary are confirmed not affected; detection efforts should focus on Windows platforms running RealOne Player V2 (6.0.11.853) or RealPlayer 10.5 (6.0.12.1483).

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.