CVE-2011-2950
published 2011-08-18CVE-2011-2950: Heap-based buffer overflow in qcpfformat.dll in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.90%
98.0th percentile
Heap-based buffer overflow in qcpfformat.dll in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.5 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted QCP file.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
| realnetworks | realplayer_sp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable DLL is qcpfformat.dll; monitor for heap overflow activity (large fmt chunk size) when this DLL processes a .QCP file delivered via browser. ↗
- →Exploit is triggered via a crafted 'fmt' chunk in a QCP/RIFF file; detect QCP files served over HTTP where the fmt chunk size field (offset after RIFF+QLCM+fmt headers) exceeds 0x96 (150 bytes), indicating overflow padding. ↗
- →The Metasploit module uses a heap spray targeting address 0x1414 (IE6) or 0x0c0c (IE7) on Windows XP SP3; detect JavaScript heap spray patterns with repeated %u1414%u1414 or %u0c0c%u0c0c unescape sequences in browser traffic. ↗
- →RealPlayer identifies itself with User-Agent string containing 'RMA' (specifically 'RMA/1.0 (compatible; RealMedia)') when fetching the trigger .QCP file; correlate this UA with delivery of .QCP content-type application/octet-stream. ↗
- →The exploit delivers a .QCP file with an overflow_size of 700 bytes (0x2BC) of \x11 bytes appended to the fmt chunk; a network signature can match QCP files containing a run of 700+ identical bytes (0x11) within the fmt chunk. ↗
- ·The module supports optional JavaScript obfuscation via the OBFUSCATE option, which may evade signature-based JS detection. ↗
- ·Payload space is limited to 1024 bytes in this exploit module configuration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealNetworks Realplayer - QCP Parsing Heap Overflow (Metasploit)
exploitdb·2011-09-17
CVE-2011-2950 RealNetworks Realplayer - QCP Parsing Heap Overflow (Metasploit)
RealNetworks Realplayer - QCP Parsing Heap Overflow (Metasploit)
---
##
# $Id: realplayer_qcp.rb 13745 2011-09-17 06:48:33Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "RealNetworks Realplayer QCP Parsing Heap Overflow",
'Description' => %q{
This module exploits a heap overflow in Realplayer when handling a .QCP file.
The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is
allocated on the heap and user-supplied data from the file is copied within a
memory copy loop.
This allows a remote attacker to execute
Metasploit
RealNetworks Realplayer QCP Parsing Heap Overflow
metasploit
RealNetworks Realplayer QCP Parsing Heap Overflow
RealNetworks Realplayer QCP Parsing Heap Overflow
This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted "fmt" chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.
No writeups or analysis indexed.
http://securityreason.com/securityalert/8388http://service.real.com/realplayer/security/08162011_player/en/http://www.securityfocus.com/bid/49172http://www.securitytracker.com/id?1025943http://zerodayinitiative.com/advisories/ZDI-11-265/http://securityreason.com/securityalert/8388http://service.real.com/realplayer/security/08162011_player/en/http://www.securityfocus.com/bid/49172http://www.securitytracker.com/id?1025943http://zerodayinitiative.com/advisories/ZDI-11-265/
2011-08-18
Published