RealPlayer is a popular multimedia player developed by RealNetworks. One of its features are RMP files, RealJukebox Metadata Packages. These are XML formatted files which may contain e.g. playlists, references to skin files (*.rjs), and information about related web pages.
A directory traversal vulnerability exists in the player allowing an attacker to craft an RMP file which may upload files to arbitrary locations on the victim system. This leads to arbitrary code execution with the currently logged in user's privileges.
The RMP file may contain references to a number of files as <TRACK> tags. The file extension determines how RealPlayer handles the file, ie. as audio, video, or a skin file. If the filename ends with ".rjs", it's assumed to be a skin file and downloaded to a location under the current user's profile folder. For RealOne Player the exact location is
%USERPROFILE%\Application Data\Real\RealOne Player\skins\file.rjs
An attacker may use "..\" sequences in the file name to cause the skin file to be placed outside this folder. With a specially crafted filename, an attacker can place an arbitrarily named file with arbitrary contents anywhere on the victim system. Overwriting files isn't possible as RealPlayer asks for confirmation.
Another way is simply to place an EXE or other program in the current user's Startup folder to be launched during the next login. The attacker needn't know the login name; a relative path can be used because the default folder for skins is already under the user's profile folder.
According to RealNetworks, the flaw affects RealOne Player, RealOne Player v2, RealOne Enterprise Desktop, RealPlayer Enterprise.
RealNetworks was contacted on November 24, 2003. The vendor has produced updates to correct the flaw. Some unrelated vulnerabilities found by Mark Litchfield are also fixed. Information about downloading and applying the updates can be found here:
The vulnerability was discovered and researched by Jouko Pynnönen (firstname.lastname@example.org), Finland.