There are multiple stack overflows in the ierpplug.dll ActiveX Control. These issues were originally discovered by shinnai, http://www.securityfocus.com/bid/22811 and http://www.securityfocus.com/bid/21802. I am adding the Import() and PlayerProperty() functions to the list. This was tested on Windows XP SP2 fully patched, using IE 6; RealPlayer version 11, build 6.0.14.738, dist R41R01, ierpplug.dll version 1.0.1.3016. I have not tested code execution. PoC as follows: ------------ ------------ After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130, although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows: ------------- ------------- Elazar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/