CVE-2003-0725
published 2003-10-20CVE-2003-0725: Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and…
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
51.25%
98.8th percentile
Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | helix_universal_server | — | — |
| realnetworks | helix_universal_server | — | — |
| realnetworks | helix_universal_server | — | — |
| realnetworks | helix_universal_server | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
| realnetworks | realserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xcc\xcc\x90\x8b\xfd\x83\xc7\x37\x33\xc9\xb2\x90\x66\x81\xc1\x38\x01\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7
- →Detect exploit attempts by monitoring RTSP DESCRIBE requests containing excessive path traversal sequences (../../../../) targeting port 554 on RealServer/Helix Universal Server. ↗
- →After successful exploitation on Linux, the attacker kills the master rmserver process to stabilize the shell; monitor for 'kill -9' signals targeting rmserver PIDs. ↗
- →Monitor for unexpected outbound or inbound connections on TCP port 31337 from the RealServer process, indicating successful shellcode execution and reverse/bind shell establishment. ↗
- →Detect OS fingerprinting probes against RealServer via RTSP OPTIONS requests; the exploit parses the 'Server' header in the response to identify the target OS before launching the buffer overflow. ↗
- →The exploit sends a fixed 2000-byte RTSP DESCRIBE buffer; anomalous RTSP requests of exactly 2000 bytes containing .smi extension and deep path traversal to port 554 are a strong indicator. ↗
- ·The exploit targets RealServer/Helix Universal Server listening on TCP port 554 (default RTSP port); deployments using non-standard RTSP ports would require adjusted detection rules. ↗
- ·The exploit includes separate Windows (w32shell) and Linux (linuxshell) shellcode payloads; detection signatures based on shellcode byte patterns must account for both variants. ↗
- ·The vulnerable component is the View Source plug-in (vsrcplin.so on Linux, vsrcplin3260.dll on Windows); servers without this plug-in loaded may not be exploitable via this vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0087.htmlhttp://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.htmlhttp://www.kb.cert.org/vuls/id/934932http://www.securityfocus.com/bid/8476http://www.service.real.com/help/faq/security/rootexploit082203.htmlhttp://archives.neohapsis.com/archives/vulnwatch/2003-q3/0087.htmlhttp://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.htmlhttp://www.kb.cert.org/vuls/id/934932http://www.securityfocus.com/bid/8476http://www.service.real.com/help/faq/security/rootexploit082203.html
2003-10-20
Published