RealOne Player Gold and RealJukebox2 RJS skin file download and execution

realplayer-rjs-file-download (9539) The risk level is classified as MediumMedium Risk

Description:

RealNetwork RealOne Player Gold could allow a remote attacker to cause a file to be automatically downloaded and executed on a victim's computer. A remote attacker could create a malicious RJS file with a skin.ini file containing script embedded within HTML tags that could be made to automatically download and execute on the victim's computer. An attacker could exploit this vulnerability by creating a malicious Web page or sending a victim a malicious HTML email that could either cause the RJS file to be opened automatically or provide a URL link that would cause the malicious RJS file to be opened when clicked.


Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, available from the RealNetworks Web site. See References.

References:

  • RealNetworks Web site: RealNetworks Support: Buffer Overrun Exploit.
  • SPS Advisory #47: RealONE Player Gold / RealJukebox2 skin file download vulnerability.
  • BID-5210: Real Networks RealJukebox Predictable File Extraction Vulnerability
  • CVE-2002-1015: RealJukebox 2 1.0.2.340 and 1.0.2.379, and RealOne Player Gold 6.0.10.505, allows remote attackers to execute arbitrary script in the Local computer zone by inserting the script into the skin.ini file of an RJS archive, then referencing skin.ini from a web page after it has been extracted, which is parsed as HTML by Internet Explorer or other Microsoft-based web readers.
  • OSVDB ID: 5037: RealJukebox/RealOne RJS Archive skin.ini Arbitrary Script Execution
  • US-CERT VU#888547: Real Networks RealONE Player vulnerable to arbitrary command execution via crafted html in the skin file

Platforms Affected:

  • Real RealJukebox 2 1.0.2.340
  • Real RealJukebox 2 1.0.2.379
  • Real RealJukebox 2 Plus 1.0.2.340
  • Real RealJukebox 2 Plus 1.0.2.379
  • Real RealONE Player 1_build_6.0.10.505 Gold

Reported:

Jul 12, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page