cbcvebase.
CVE-2008-1309
published 2008-03-12

CVE-2008-1309: The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.95%
98.7th percentile
The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.

Affected

3 ranges
VendorProductVersion rangeFixed in
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer

Detection & IOCsextracted from sources · hover to see the quote

filenamermoc3260.dll
otherRealAudioObjects.RealAudio (ActiveX ProgID/control)
other0x0C0C0C0C (heap spray return address)
bytes
%u0C0C%u0C0C (heap spray NOP sled pattern)
  • Detect ActiveX instantiation of the RealAudioObjects.RealAudio control (rmoc3260.dll) in a browser context, particularly when the Console or Controls property is set to a long string value repeatedly.
  • Look for heap spray patterns using the 0x0C0C0C0C address in browser memory or JavaScript unescape sequences containing %u0C0C%u0C0C, which is the NOP sled used in known exploits for this CVE.
  • Monitor for repeated property assignments of long strings to the Console or Controls properties of the RealAudioObjects.RealAudio ActiveX control, which triggers the use-after-free heap overwrite.
  • Flag browser crashes or abnormal termination when rmoc3260.dll is loaded, as denial-of-service via heap corruption is a known outcome of exploitation attempts.
  • ·Vulnerable versions are RealPlayer 10.5 before build 6.0.12.1675 and RealPlayer 11 before build 6.0.14.806; detections should be scoped to these version ranges to reduce false positives.
  • ·Red Hat Enterprise Linux 3 Extras, 4 Extras, and 5 Supplementary are confirmed not affected; exclude these platforms from detection scope.
  • ·The Metasploit module targets Windows XP SP0-SP3 with IE 6.0 SP0-2 and IE 7.0 English specifically; the heap spray offset and return address (0x0C0C0C0C) are target-specific and may differ for other configurations.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.