RealNetworks RealPlayer Code Execution Vulnerability (Jan 25, 2011)


RealPlayer is a closed source cross-platform media player by RealNetworks that plays a number of multimedia formats including MP3, MPEG-4, QuickTime, Windows Media, and multiple versions of proprietary RealAudio and RealVideo formats. The application can play media files from local file system or network servers.

RealPlayer can be bundled with ActiveX controls and plug-ins that implement various functions. One of the ActiveX controls called IERPPlugin, is linked to library ierpplug.dll. This control is associated with CLSID “FDC7A535-4070-4B92-A0EA-D9994BCC0DC5”, and ProgID “IERPCtl.IERPCtl.1”. This ActiveX control can be instantiated in a web page using the tag or via scripting. For example:


obj = new ActiveXObject("IERPCtl.IERPCtl.1")

The ActiveX Control IERPPlugin exposes a set of methods and properties that allows for playing media from the HTML pages using the RealPlayer client. RecordClip(), one of the methods, invokes the RecordingManager.exe utility installed with RealPlayer. The syntax of this method is shown below:

RecordClip (String url, String mimeType, String clipInfo)

RecordingManager.exe, which is invoked by RecordClip(), is the Web Download and Recording Manager component of the RealPlayer. This component can be used to monitor, pause, or stop the media download progress. This executable accepts a URL to a media file as an argument. By default, RecordingManager switches are not accessible through the RecordClip() method of the IERPPlugin.

A code execution vulnerability exists in RealPlayer IERPPlugin ActiveX control. The vulnerability is due to improper validation of the url parameter passed to the RecordClip() method of the ActiveX Control. An attacker may leverage this vulnerability to download arbitrary files on any location on the target host.

SonicWALL UTM Research team has investigated this vulnerability and created the following IPS signature to detect/prevent the attacks addressing this issue:

  • 6146 RealNetworks RealPlayer Injection Code Execution Attempt

This vulnerability is referred by CVE as CVE-2010-3749.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Pin It on Pinterest