发布时间 :2005-11-18 18:03:00
修订时间 :2016-10-17 23:29:05

[原文]Heap-based buffer overflow in DUNZIP32.DLL for RealPlayer 8, 10, and 10.5 and RealOne Player 1 and 2 allows remote attackers to execute arbitrary code via a crafted RealPlayer Skin (RJS) file, a different vulnerability than CVE-2004-1094.

[CNNVD]RealNetworks RealPlayer DUNZIP32.DLL堆溢出漏洞(CNNVD-200511-256)

        RealNetworks RealPlayer是非常流行的媒体播放器,适用于多种操作系统,包括Microsoft Windows,Linux和Mac OS。
        系统可以无需用户权限通过WEB浏览器下载并自动应用RealPlayer外观文件(.rjs extension),成功利用这个漏洞的攻击者可以在目标系统上执行任意代码。外观文件是以ZIP格式存储在一起的各种图形和.ini文件,而RealPlayer捆绑的DUNZIP32.DLL文件用于解压外观文件的内容。RealPlayer在处理zip文件时会分配文件字段,但在拷贝时却依赖与所拷贝的真实解压内容,因此攻击者可以压缩包含有恶意数据的rjs文件并更改rjs文件长度域,这样在处理zip文件时就会出现堆溢出。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:realnetworks:realplayer:10.5RealNetworks RealPlayer 10.5
cpe:/a:realnetworks:realplayer:10.0RealNetworks RealPlayer 10.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  15382
(UNKNOWN)  XF  realplayer-rjs-zip-bo(23025)

- 漏洞信息

RealNetworks RealPlayer DUNZIP32.DLL堆溢出漏洞
中危 缓冲区溢出
2005-11-18 00:00:00 2006-01-05 00:00:00
        RealNetworks RealPlayer是非常流行的媒体播放器,适用于多种操作系统,包括Microsoft Windows,Linux和Mac OS。
        系统可以无需用户权限通过WEB浏览器下载并自动应用RealPlayer外观文件(.rjs extension),成功利用这个漏洞的攻击者可以在目标系统上执行任意代码。外观文件是以ZIP格式存储在一起的各种图形和.ini文件,而RealPlayer捆绑的DUNZIP32.DLL文件用于解压外观文件的内容。RealPlayer在处理zip文件时会分配文件字段,但在拷贝时却依赖与所拷贝的真实解压内容,因此攻击者可以压缩包含有恶意数据的rjs文件并更改rjs文件长度域,这样在处理zip文件时就会出现堆溢出。

- 公告与补丁


- 漏洞信息 (F41490)

EEYEB-20050701.txt (PacketStormID:F41490)
2005-11-12 00:00:00
Fang Xing

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in RealPlayer that allows a remote attacker to reliably overwrite the heap with arbitrary data and execute arbitrary code in the context of the user under which the player is running. Systems Affected include Windows: RealPlayer 10.5 (, RealPlayer 10, RealOne Player v2, RealOne Player v1, RealPlayer 8.

RealPlayer Zipped Skin File Buffer Overflow II

Release Date:
November 10, 2005

Date Reported:
June 26, 2005

High (Code Execution)


Systems Affected:
RealPlayer 10.5 (
RealPlayer 10
RealOne Player v2
RealOne Player v1
RealPlayer 8

eEye Digital Security has discovered a vulnerability in RealPlayer that
allows a remote attacker to reliably overwrite the heap with arbitrary
data and execute arbitrary code in the context of the user under which
the player is running.

Technical Details:
A RealPlayer skin file (.rjs extension) can be downloaded and applied
automatically through a web browser without the user's permission. A
skin file is a bundle of graphics and a .ini file, stored together in
ZIP format. DUNZIP32.DLL, which is included with RealPlayer, is used to
extract the contents of the skin file. When RealPlayer processes a zip
file, it will allocate the field of the file but when it is copied it
will rely on real unzip content to copy. So an attacker can zip one file
that has hostile data and create a rjs file.  We can change the file
length field of rjs file so when it process this zip file it will cause
a heap overflow.

Retina Network Security Scanner has been updated to identify this

Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar or from

Fang Xing 

Related Links:
This vulnerability has been assigned the following ID numbers;

OSVDB ID: 18827
CVE ID: CAN-2005-2630

Thanks to Karl Lynn and the eeye guys for helping me analyze and write
the advisory, greets to xfocus and venus-tech lab guys.

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.


- 漏洞信息

RealPlayer .rjs Zipped Skin File Processing DUNZIP32.DLL Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A local overflow exists in RealPlayer and RealOne Player. The products fails to properly handle malformed zipped .rjs skin files resulting in a heap overflow. With a specially crafted file, an attacker can cause the execution of code resulting in a loss of integrity.

- 时间线

2005-11-10 Unknow
Unknow 2005-11-10

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, RealNetworks has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

RealNetworks RealPlayer DUNZIP32.DLL Heap Overflow Vulnerability
Boundary Condition Error 15382
Yes No
2005-11-10 12:00:00 2009-07-12 05:56:00
Discovery is credited to Fang Xing of eEye Digital Security.

- 受影响的程序版本

Real Networks RealPlayer 10.5 v6.0.12.1235
Real Networks RealPlayer 10.5 v6.0.12.1069
Real Networks RealPlayer 10.5 v6.0.12.1059
Real Networks RealPlayer 10.5 v6.0.12.1056
Real Networks RealPlayer 10.5 v6.0.12.1053
Real Networks RealPlayer 10.5 v6.0.12.1040
Real Networks RealPlayer 10.0
+ S.u.S.E. cvsup-16.1h-43.i586.rpm
+ S.u.S.E. Linux Personal 9.3
+ S.u.S.E. Linux Personal 9.2
Real Networks RealPlayer 8.0 Win32
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98 SP1
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Real Networks RealOne Player 2.0
Real Networks RealOne Player 1.0

- 漏洞讨论

A heap overflow vulnerability exists in RealPlayer on Windows platforms.

The issue arises when 'DUNZIP32.DLL' is called to handle a malformed file.

A successful attack can allow the attacker to gain unauthorized access to a vulnerable computer.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

The vendor has released fixes to address this issue. The patches are available through the 'Check for Update' functionality of the software under the 'Tools' menu. Fixes are available from the following location as well:

- 相关参考