cbcvebase.
CVE-2003-0725
published 2003-10-20

CVE-2003-0725: Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and…

PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
51.25%
98.8th percentile
Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code.

Affected

12 ranges
VendorProductVersion rangeFixed in
realnetworkshelix_universal_server
realnetworkshelix_universal_server
realnetworkshelix_universal_server
realnetworkshelix_universal_server
realnetworksrealserver
realnetworksrealserver
realnetworksrealserver
realnetworksrealserver
realnetworksrealserver
realnetworksrealserver
realnetworksrealserver
realnetworksrealserver

Detection & IOCsextracted from sources · hover to see the quote

port554
commandOPTIONS / RTSP/1.0
commandDESCRIBE /../../../../../../../../../../../../../../../../../../../../ [...] .smi RTSP/1.0
filenamevsrcplin.so
filenamevsrcplin3260.dll
bytes
\xcc\xcc\x90\x8b\xfd\x83\xc7\x37\x33\xc9\xb2\x90\x66\x81\xc1\x38\x01\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7
  • Detect exploit attempts by monitoring RTSP DESCRIBE requests containing excessive path traversal sequences (../../../../) targeting port 554 on RealServer/Helix Universal Server.
  • After successful exploitation on Linux, the attacker kills the master rmserver process to stabilize the shell; monitor for 'kill -9' signals targeting rmserver PIDs.
  • Monitor for unexpected outbound or inbound connections on TCP port 31337 from the RealServer process, indicating successful shellcode execution and reverse/bind shell establishment.
  • Detect OS fingerprinting probes against RealServer via RTSP OPTIONS requests; the exploit parses the 'Server' header in the response to identify the target OS before launching the buffer overflow.
  • The exploit sends a fixed 2000-byte RTSP DESCRIBE buffer; anomalous RTSP requests of exactly 2000 bytes containing .smi extension and deep path traversal to port 554 are a strong indicator.
  • ·The exploit targets RealServer/Helix Universal Server listening on TCP port 554 (default RTSP port); deployments using non-standard RTSP ports would require adjusted detection rules.
  • ·The exploit includes separate Windows (w32shell) and Linux (linuxshell) shellcode payloads; detection signatures based on shellcode byte patterns must account for both variants.
  • ·The vulnerable component is the View Source plug-in (vsrcplin.so on Linux, vsrcplin3260.dll on Windows); servers without this plug-in loaded may not be exploitable via this vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.