CVE-2010-3747
published 2010-10-19CVE-2010-3747: An ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and RealPlayer Enterprise 2.1.2 does not properly initialize…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.35%
98.2th percentile
An ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and RealPlayer Enterprise 2.1.2 does not properly initialize an unspecified object component during parsing of a CDDA URI, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer dereference and application crash) via a long URI.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect abnormally long CDDA URIs passed to the RealPlayer ActiveX control; the exploit constructs a URI of the form 'cdda://' followed by 750 repetitions of a 4-byte return address (3000+ bytes total). ↗
- →The exploit delivers a heap-spray via JavaScript using unescape() with NOP sleds and shellcode, then calls DoPlay on the RealPlayer ActiveX object with the malicious CDDA URI — monitor for ActiveX DoPlay invocations with oversized cdda:// arguments in browser traffic. ↗
- →The Metasploit module serves the exploit as Content-Type: text/html; network signatures should look for HTML responses containing both a cdda:// URI and JavaScript heap-spray patterns (unescape + array allocation loop). ↗
- →The uninitialized pointer dereference is triggered via the instruction 'call [esi+45b]'; memory forensics or crash dumps showing EIP control at this call site indicate successful exploitation. ↗
- ·The Metasploit module randomizes all JavaScript variable names and the ActiveX object ID on each request, making static string-based signatures unreliable for those identifiers. ↗
- ·The return address used in the ret-slide is 0x21212121 for both listed targets ('Universal' targeting); this value is the same for RealPlayer SP 1.0–1.1.4 and RealPlayer 11.0–11.1, suggesting heap-spray rather than a precise ROP gadget — detections based on this specific address pattern are valid for the Metasploit implementation but custom exploits may differ. ↗
- ·Payload bad characters are limited to null bytes only ('\x00'), meaning most shellcode encoders will produce valid payloads; do not rely on null-byte filtering as a mitigation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealNetworks RealPlayer - CDDA URI Initialization (Metasploit)
exploitdb·2011-03-17
CVE-2010-3747 RealNetworks RealPlayer - CDDA URI Initialization (Metasploit)
RealNetworks RealPlayer - CDDA URI Initialization (Metasploit)
---
##
# $Id: realplayer_cdda_uri.rb 12009 2011-03-17 15:42:28Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability',
'Description' => %q{
This module exploits a initialization flaw within RealPlayer 11/11.1 and
RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object
initialization failure. However, this failure is improperly handled and
uninitialized memory executed.
},
'License' => MSF_LICENSE
Exploit-DB
Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit)
exploitdb·2010-02-15
CVE-2006-3747 Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit)
Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit)
---
##
# $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
'Description' => %q{
This module exploits the mod_rewrite LDAP protocol scheme handling
flaw discovered by Mark Dowd, which produces an off-by-one overflow.
Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
This module requires REWRITEPATH to be set accurately. In addition,
the target
Metasploit
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
metasploit
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
This module exploits an initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.
No writeups or analysis indexed.
http://securityreason.com/securityalert/8147http://service.real.com/realplayer/security/10152010_player/en/http://www.securityfocus.com/bid/44144http://www.zerodayinitiative.com/advisories/ZDI-10-210/http://securityreason.com/securityalert/8147http://service.real.com/realplayer/security/10152010_player/en/http://www.securityfocus.com/bid/44144http://www.zerodayinitiative.com/advisories/ZDI-10-210/
2010-10-19
Published