1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: RealPlayer RecordClip Param Injection

Web Attack: RealPlayer RecordClip Param Injection

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to perform parameter injection trick in RecordClip function.

Additional Information

Real Networks RealPlayer SP is a media player available for multiple platforms.

The application is prone to a remote code-execution vulnerability that occurs when injecting specific characters into the arguments of the 'RecordClip' method. Specifically, an attacker can use the '/t' and '/f' switches to download a crafted '.mp3' file to an arbitrary location on the system and execute batch commands. An attacker may exploit the issue via the RealPayer ActiveX control identified by CLSID:

FDC7A535-4070-4B92-A0EA-D9994BCC0DC5

An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage.

Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.

Versions prior to and including RealPlayer SP 1.1 for Windows are vulnerable.

NOTE: This issue was previously discussed in BID 44144 (Real Networks RealPlayer SP and RealPlayer Enterprise Multiple Security Vulnerabilities) but has been given its own record to better document it.

Affected

  • RealPlayer SP 1.1

Response

Updates are available. Please see the references for details.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube