CVE-2013-7260
published 2014-01-03CVE-2013-7260: Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.88%
99.2th percentile
Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | <= 17.0.4.60 | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90 (nSEH: JMP 6 bytes short)
bytes↗
0x5acceecd — ADD ESP,428 # RETN 10 [mswmdm.dll] (SEH overwrite)
bytes↗
ROP chain anchored at 0x77c1c552 (RETN ROP NOP, msvcrt.dll)
bytes↗
Shellcode bytes: \xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a... (windows/exec CMD=calc.exe, 395 bytes)
- →Trigger file is a specially crafted .RMP file containing an XML declaration with an oversized version or encoding attribute; look for .RMP files with XML declarations exceeding normal length bounds. ↗
- →Exploit targets RealPlayer versions 16.0.3.51 and 16.0.2.32 on Windows; presence of these versions combined with .RMP file processing should be treated as high-risk. ↗
- →Exploit uses a DEP bypass via ROP chain built entirely from msvcrt.dll gadgets, culminating in a VirtualProtect() call; monitor for RealPlayer spawning child processes or calling VirtualProtect on stack regions. ↗
- →SEH-based exploitation path: two SEH overwrites are embedded in the payload (one for click-open at offset 1858+44, one for menu-open at offset 11052+44); detect structured exception handler chain corruption in RealPlayer process. ↗
- →The overflow is triggered by the XML version or encoding declaration in an RMP file; YARA/AV rules should flag .RMP files containing an XML declaration (<?xml) with a version or encoding attribute value longer than ~44 bytes. ↗
- ·ROP gadget addresses (msvcrt.dll, mswmdm.dll) are hardcoded for specific Windows XP SP2/SP3 module base addresses and will not be reliable on other OS versions or with ASLR enabled. ↗
- ·The vulnerability affects RealPlayer before 17.0.4.61 on Windows and Mac RealPlayer before 12.0.1.1738; the public exploit specifically targets 16.0.3.51 and 16.0.2.32 and may require adaptation for other in-range versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rcgv-75hg-vhm9: Heap-based buffer overflow in RealNetworks RealPlayer before 17
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2013-6877 [HIGH] CWE-119 GHSA-rcgv-75hg-vhm9: Heap-based buffer overflow in RealNetworks RealPlayer before 17
Heap-based buffer overflow in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allows remote attackers to execute arbitrary code via a long string in the TRACKID element of an RMP file, a different vulnerability than CVE-2013-7260.
GHSA
GHSA-vjg2-r394-94r6: Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17
ghsa_unreviewed·2022-05-13·CVSS 9.3
CVE-2013-7260 [CRITICAL] CWE-119 GHSA-vjg2-r394-94r6: Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17
Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877.
No detection rules found.
Exploit-DB
RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow
exploitdb·2013-12-24·CVSS 7.5
CVE-2013-7260 [HIGH] RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow
RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow
---
#!/usr/bin/perl
#-----------------------------------------------------------------------------#
# Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow #
# Date: Dec 20 2013 #
# Exploit Author: Gabor Seljan #
# Vendor Homepage: http://www.real.com #
# Software Link: http://www.oldapps.com/real.php?old_real_player=12814 #
# Version: 16.0.3.51, 16.0.2.32 #
# Tested on: Windows XP SP2/SP3 (DEP Bypass) #
# CVE: CVE-2013-7260 #
#-----------------------------------------------------------------------------#
use strict;
use warnings;
my $filename = "sploit.rmp";
my $junk1 = "\x41" x 44; # Offset to ROP + Shellcode
my $junk2 = "\x43" x 1858; # Offset to SEH when opening via click (25
Metasploit
RealNetworks RealPlayer Version Attribute Buffer Overflow
metasploit
RealNetworks RealPlayer Version Attribute Buffer Overflow
RealNetworks RealPlayer Version Attribute Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by improper bounds checking of the version and encoding attributes inside the XML declaration. By persuading the victim to open a specially-crafted .RMP file, a remote attacker could execute arbitrary code on the system or cause the application to crash.
No writeups or analysis indexed.
http://service.real.com/realplayer/security/12202013_player/en/http://www.exploit-db.com/exploits/30468/http://www.kb.cert.org/vuls/id/698278http://www.securityfocus.com/bid/64695https://exchange.xforce.ibmcloud.com/vulnerabilities/90160http://service.real.com/realplayer/security/12202013_player/en/http://www.exploit-db.com/exploits/30468/http://www.kb.cert.org/vuls/id/698278http://www.securityfocus.com/bid/64695https://exchange.xforce.ibmcloud.com/vulnerabilities/90160
2014-01-03
Published