Critical vulnerability in RealPlayer
US-CERT has warned of an exploit for a previously unknown vulnerability in RealPlayer 11 (build 18.104.22.1688) that is currently doing the rounds. What exactly the exploit does and what it is based on has not been revealed. Further information is only available to paid up subscribers to GLEG Ltd, which provides a commercial exploit package for the Immunity Canvas exploit framework in the form of VulnDisco. An exploit module for RealPlayer has been available from developer Evgeny Legerov since 16th December.
The demo announced by Legerov on the Immunity mailing list turns out to be a video showing how the exploit opens a remote shell via a vulnerability in RealPlayer under Canvas. It is not known whether the vendor has been informed of the vulnerability, but it seems likely that it has not. Legerov has previously distributed exploits for unpublished vulnerabilities in other products to his customers. He has, for example, been withholding information on a critical vulnerability in the widely distributed FTP server ProFTPD for more than eleven months.
Whether VulnDisco customers will use the RealPlayer exploit exclusively for test purposes or whether it will be actively used on websites is anyone's guess. It is therefore difficult to offer definitive recommendations to users. In case of doubt, users should simply uninstall RealPlayer. At least since Windows users have been able to listen to music on Amazon using Amazon's Music Sampler, there remains little reason to continue to use RealPlayer.
- 0day RealPlayer exploit demo, posting on the Immunity mailing list
- Publicly Available Exploit Code for RealPlayer, warning from US-CERT