Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Multimedia)  >   RealOne (RealPlayer) Vendors:   RealNetworks
RealOne Player Input Validation Flaw Permits Remote Script Execution
SecurityTracker Alert ID:  1008647
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 8 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0, Build
Description:   An input validation vulnerability was reported in RealOne. A remote user can execute scripting code in the local computer security zone.

Arman Nayyeri reported that the player does not filter HTML scripting code from SMI files. A remote user can reportedly create an SMI file that, when loaded by the target user, will execute arbitrary Javascript code. The code may be able to access and modify files on the target user's system.

According the report, a statement in the following format can trigger the flaw:


The code can be executed in the security zone of last page that was loaded, the report said.

A demonstration exploit is available at:

Impact:   A remote user can create HTML that, when loaded by a target user, will execute a malicious SMI file to run malicious scripting code. The code can, for example, modify files on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  RealNetworks fails to address Cross-Site Scripting in RealOne Player

RealNetworks fails to address Cross-Site Scripting in RealOne Player
Title:    RealNetworks fails to address Cross-Site Scripting in RealOne
Date:     Tuesday, January 06, 2004
Software: RealOne Player
Vendor:   RealNetworks
Patch:    N/A
Author:   Arman Nayyeri, arman-n[at]Phreaker[dot]net

The security update August 19 ,2003 fails to address the Cross-Site
scripting vulnerability that has been founded later in .SMI file in 
RealOne player.
First time, when I research about SMI files in realone I test javascript:
protocol and I wonder that how this simple vulnerability exists in
realone, but when I search the web I see that this vulnerability has
already been discovered. So I download the latest version of realone
and work on it, and after an hour, I have an exploit that works perfect
in the new realone player.
I replace javascript: with file:javascript: in the SMI file.(heh!)
I don't know how RealNetworks say:
"all security vulnerabilities are taken very seriously by RealNetworks"
I'm waiting for the next patch to come and have some fun!
I don't want to annoy realnetworks but it's funny that their
vulnerabilities will never exploited and used for attacks, because 
RealNetworks keep sayin':
"While we have not received reports of anyone actually being attacked
 with this exploit"
so,I recommend attack with my exploit (AT YOUR OWN RISK!) to your friend
and say to he/she to report this attack to realnetworks to see what 
realnetworks will write!
ok, back to business;
we see that realone easily allow file:javascript: to be executed in
the security zone of last page that you loaded into it, that can be 
"My Computer" or "Local Intranet" zone too.

I use RealNetworks firstrun.smi as a template for my work and use jelmer's for executing of exe file! as easy as this!
but there is so much problems for me to make the exploit to work!
because when I use file: before javascript: this things happens:
1.we can't use """ and "<" and ">" because of SMI file TAGs URL all spaces become %20 and prevent script to be executed correctly URL all "/"s become "\"s
4.we can't directly use "file:javascript:[JSCODE]" because of last two

so I use "file:javascript:document.write('[JSCODE]')".
and translate all of the above bad characters to "\u[unicode]",
and also our URL that contains jscode must be less that 512(almost) bytes.
I load res: and then "file:javascript:document.write('[ code]')".

this is the exploit that I provided (harmless .exe):

and also there is a zip file that contains the SMI file, if you want to
know what code is in .SMI!

and also this exploit will work even if active scripting is disabled!

and sorry for my bad english!

Exploit Tested On
RealOne Player (win32) 
	Version 2.0 
	Helix Powered 

And also work on
RealOne Player (win32)
	Version 1.0

Special Thanks
Jelmer said:
"I am pretty sure there are still some *very serious* issues out there
  with a few leading apps, like
  sun java
  and probably icq"
as you can see, realplayer is one of them!
next one, likely winamp!(5.0 with many new capabilities!WOW!)

Do I discover more vulnerabilities?

Arman Nayyeri is not responsible for the misuse of the information 
provided in this advisory. The opinions expressed are my own and not of 
any company. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
advisory. Any use of the information is at the user's own risk.

Arman Nayyeri 
        MCP, MCSA 2000, MCSE 2000


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC