CVE-2013-7260: RealNetworks RealPlayer Stack-Based Buffer Overflow

RealPlayer is vulnerable to multiple stack-based buffer overflow vulnerabilities (CVE-2013-7260). This flaw allows attackers to execute arbitrary code and take complete control of the system remotely. Affected versions of RealPlayer are before on Windows systems.

The vulnerability is because of the way the ‘version’ and ‘encoding’ attributes in the XML declaration of an RMP (RIFF MP3 Audio File) file are handled. If malicious data is placed in the ‘version’ or ‘encoding’ attribute inside the XML declaration of the RMP file, it can result in a crash or execution of arbitrary code.

Below is the view of the crafted RMP file in hex-editor having a malicious value in the ‘version’ attribute.

This large input data to ‘version’ attribute leads to stack based buffer overflow and so a carefully crafted malicious value can result in execution of any arbitrary code.

Below is the figure showing result of opening the crafted RMP file in Immunity debugger. An exception is caused and application jumps to the SEH chain.
exception and seh

The pointer to exceptional handler is overwritten with shell code (calculator shell code). The stack now consists of malicious code, if you replace the shell code with a malicious one.
calculator code in stack_edited

At this time, the state of ESP and the stack is:

So the return instruction 641930CA will jump to 0012FDE4 (the stack) where our calculator shell code is located.

If an attacker were to send a crafted RMP file and if you happen to open through the RealPlayer or you visit a website that is hosting a malicious RMP file, attacker could control your system completely.