cbcvebase.
CVE-2002-1643
published 2002-12-19

CVE-2002-1643: Multiple buffer overflows in RealNetworks Helix Universal Server 9.0 (9.0.2.768) allow remote attackers to execute arbitrary code via (1) a long Transport…

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.32%
99.4th percentile
Multiple buffer overflows in RealNetworks Helix Universal Server 9.0 (9.0.2.768) allow remote attackers to execute arbitrary code via (1) a long Transport field in a SETUP RTSP request, (2) a DESCRIBE RTSP request with a long URL argument, or (3) two simultaneous HTTP GET requests with long arguments.

Affected

2 ranges
VendorProductVersion rangeFixed in
realnetworkshelix_universal_server
realnetworkshelix_universal_server

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploit attempts by matching RTSP DESCRIBE requests containing a URI with 560 or more repeated '../' traversal sequences followed by a '.smi' extension
  • Detect exploit attempts by matching RTSP SETUP requests with an abnormally long Transport header field
  • Detect exploit attempts by matching RTSP DESCRIBE requests with an abnormally long URL argument
  • Detect exploit attempts via two simultaneous HTTP GET requests with long arguments targeting RealServer
  • Use RTSP OPTIONS probe to fingerprint vulnerable RealServer instances; a Server header in the response indicates a potentially vulnerable target
  • Payload bad characters for this exploit include null bytes, newlines, carriage returns, percent signs, dots, forward/back slashes, spaces, colons, ampersands, question marks, and equals signs — filter or alert on percent-encoded shellcode in RTSP URIs
  • Exploit sends a 4131-byte buffer over TCP port 554; alert on oversized RTSP request payloads to RealServer
  • ·The Metasploit module targets RealServer versions 7, 8, and 9 across Linux, BSD, and Windows platforms using a single 'Universal' target with no per-platform ROP/return address differentiation
  • ·The exploit module notes that the master rmserver process must be killed to prevent shell disconnect after exploitation
  • ·The Windows shellcode (w32portshell) opens a reverse shell on port 31337; defenders should monitor for unexpected outbound connections on this port from RealServer processes
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.