RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow

From: Piotr Bania (
Date: 04/20/05

  • Next message: Adam Baldwin: "Neslo Desktop Rover Remote DoS Vulnerability"
    Date: Wed, 20 Apr 2005 07:08:47 +0200

            RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap
            by Piotr Bania <>

            Original location:

            Severity: Critical - Remote code execution.

            Software affected: (WINDOWS)
                                    RealPlayer 10.5 ( - 1059)
                                    RealPlayer 10
                                    RealOne Player v2
                                    RealOne Player v1
                                    RealPlayer 8
                                    RealPlayer Enterprise

                                    Mac RealPlayer 10 ( - 331)
                                    Mac RealOne Player

                                    Linux RealPlayer 10 (10.0.0 - 3)
                                    Helix Player (10.0.0 - 3)

            I. BACKGROUND

            Real*Player* is surely one of the most popular media players
            nowadays with over a 200 million of users worldwide.

            II. DESCRIPTION

            The problem exists when RealPlayer parses special crafted .ram
            file. Normaly .ram file looks like that:

  | \

            this causes RealPlayer to contact "" and try to
            download and play selected clip. The problem exists when host
            string is too long, like here:

            http://www.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.ABC.<...>. \
            .org/media/getmetafile.ram?pinfo=fid:2663610|bw:MULTI|mt:ro| \

            While parsing such crafted .ram file heap memory is being
            corrupted at multiple locations, for example:


            ----// SNIP SNIP //--------------------------------------------
            (MODULE PNEN3260)
            01053089 76 0D JBE SHORT pnen3260.01053098
            0105308B 8B53 15 MOV EDX,DWORD PTR DS:[EBX+15]
            0105308E 890496 MOV DWORD PTR DS:[ESI+EDX*4],EAX<---
            01053091 8B43 15 MOV EAX,DWORD PTR DS:[EBX+15]
            01053094 40 INC EAX
            01053095 8943 15 MOV DWORD PTR DS:[EBX+15],EAX
            ----// SNIP SNIP //--------------------------------------------


            ----// SNIP SNIP //---------------------------------------------
            (MODULE PNCRT - PNCRT!strncpy+0x8b)
            60A2FA59 8917 MOV DWORD PTR DS:[EDI],EDX
            60A2FA5B 83C7 04 ADD EDI,4
            60A2FA5E 49 DEC ECX
            60A2FA5F ^74 AF JE SHORT PNCRT.60A2FA10
            ----// SNIP SNIP //---------------------------------------------

            In the following code EDI points to heap location, and EDX
            contains read bytes. Instruction at 60A2Fa59 writes value of
            EDX register into the location where EDI points (heap memory),
            this causes a heap memory corruption.

            III. IMPACT

            Successful exploitation may allow the attacker to run arbitrary
            code in context of user running RealPlayer.


            I would like to acknowledge the cooperation and responsiveness
            of the people at RealNetworks. Security patches are available at

    best regards,
    Piotr Bania

    Piotr Bania - <> - 0xCD, 0x19
    Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33  - Key ID: 0xBE43AC33

  • Next message: Adam Baldwin: "Neslo Desktop Rover Remote DoS Vulnerability"