cbcvebase.
CVE-2011-2950
published 2011-08-18

CVE-2011-2950: Heap-based buffer overflow in qcpfformat.dll in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.90%
98.0th percentile
Heap-based buffer overflow in qcpfformat.dll in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted QCP file.

Affected

18 ranges
VendorProductVersion rangeFixed in
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp

Detection & IOCsextracted from sources · hover to see the quote

filenameqcpfformat.dll
  • The vulnerable DLL is qcpfformat.dll; monitor for heap overflow activity (large fmt chunk size) when this DLL processes a .QCP file delivered via browser.
  • Exploit is triggered via a crafted 'fmt' chunk in a QCP/RIFF file; detect QCP files served over HTTP where the fmt chunk size field (offset after RIFF+QLCM+fmt headers) exceeds 0x96 (150 bytes), indicating overflow padding.
  • The Metasploit module uses a heap spray targeting address 0x1414 (IE6) or 0x0c0c (IE7) on Windows XP SP3; detect JavaScript heap spray patterns with repeated %u1414%u1414 or %u0c0c%u0c0c unescape sequences in browser traffic.
  • RealPlayer identifies itself with User-Agent string containing 'RMA' (specifically 'RMA/1.0 (compatible; RealMedia)') when fetching the trigger .QCP file; correlate this UA with delivery of .QCP content-type application/octet-stream.
  • The exploit delivers a .QCP file with an overflow_size of 700 bytes (0x2BC) of \x11 bytes appended to the fmt chunk; a network signature can match QCP files containing a run of 700+ identical bytes (0x11) within the fmt chunk.
  • ·The module supports optional JavaScript obfuscation via the OBFUSCATE option, which may evade signature-based JS detection.
  • ·Payload space is limited to 1024 bytes in this exploit module configuration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.