eEye Digital Security has discovered a vulnerability in RealPlayer that allows a remote attacker to reliably overwrite the stack with arbitrary data and execute arbitrary code in the context of the user under which the player is running.
A RealPlayer skin file (.rjs extension) can be downloaded and applied automatically through a web browser without the user's permission. A skin file is a bundle of graphics and a .ini file, stored together in ZIP format. DUNZIP32.DLL, which is included with RealPlayer, is used to extract the contents of the skin file. When an .rjs file containing a long file name (greater than around 0x8000 bytes) is opened, either in RealPlayer or through a web browser, a stack based buffer overflow occurs, allowing an exception handler record to be overwritten and EIP to be hijacked.
News source: eEye Digital Security
View: Full Details