RealNetworks media server RTSP protocol parser buffer overflow

ID VU:934932
Type cert
Reporter CERT
Modified 2003-09-09T20:45:00



RealNetworks Helix Universal Server 9 media servers contain a buffer overflow in a RTSP protocol parser. Earlier versions of their media servers are also affected: RealSystem Server 7, 8, and RealServer G2.


RealNetworks Helix Universal Server 9 media server is software which provides integrated distribution of various forms of digital content. Streaming media content can include files encoded in QuickTime and MPEG formats. Helix Universal Server 9 uses a dynamic, shared library plug-in architecture to extend its functionality and support such RTP-delivered formats. Two of the plug-ins installed by default can be used to exploit a heap-based buffer overflow in a RTSP protocol parser. They are _View Source _plug-ins on UNIX platforms ( for Helix Universal Server, RealSystem Server 7, 8, and RealServer G2) and vsrc``3260``.``dll on Windows systems. RealNetworks has published a statement recommending these two plug-ins be removed from the Plugins sub-directory in order to prevent this vulnerability from being exploited.

Previous versions of the RealNetworks streaming media server, including RealSystem Server 7, 8, and RealServer G2, are also vulnerable. The RealNetworks Helix Universal Proxy is reported not to be vulnerable.

Exploit code has been published in public forums and used to exploit this vulnerability.


A remote attacker can either execute arbitrary code with privileges of the running service or cause it to crash.


The CERT/CC is currently unaware of a definitive patch for this problem.


RealNetworks has posted the following response to this issue:

In summary, sites running vulnerable RealNetworks media servers should consider removing one of the following View Source plug-ins from the appropriate Plugins sub-directory: ( or on UNIX platforms, vsrc3260.dll on Windows systems. Note the media server process must be restarted in order for this change to take affect. According to RealNetworks, this change will only disable the Content Browsing feature when implemented.

Affected sites could also block relevant RTSP service ports, which may include, but is not limited to, the following:

rtsp 554/tcp # Real Time Stream Control Protocol
rtsp 554/udp # Real Time Stream Control Protocol
arcp 7070/tcp # ARCP [legacy RealServer port]
arcp 7070/udp # ARCP [legacy RealServer port]
rtsp-alt 8554/tcp # RTSP Alternate (see port 554)
rtsp-alt 8554/udp # RTSP Alternate (see port 554)

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.


Updated: August 29, 2003


__ Vulnerable

Vendor Statement

Please see the vendor statement for VU#934932 at:


Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Text of statement for VU#934932 follows:
[updated Wednesday, August 27, 2003]

Server Exploit Vulnerability

Updated August 22, 2003

Helix Universal Server 9 and earlier versions (RealSystem Server 8, 7 and RealServer G2) are vulnerable to a root exploit when certain types of character strings appear in large numbers within URLs destined for the Server's protocol parsers. RealNetworks Proxy products are not vulnerable to this exploit.


RealNetworks has verified that vulnerability to this exploit can be effectively closed by removing the RealNetworks View Source plug-in from the /Plugins directory and restarting the Server process. * UNIX/Linux: (Helix Universal Server), (RealSystem Server 8 & 7, and RealServer G2).

    * Windows: **vsrc3260.dll**

The View Source Plug-in is responsible for reading and displaying file format headers of media files accessible to the file systems loaded by the Server. Removal of this plug-in will not hinder on-demand or live streaming delivery or logging and authentication services of the product. With the plug-in removed however, the Content Browsing feature will be disabled.

RealNetworks considers the removal of the View Source Plug-in a work-around for this issue, we will be making a new version of the Helix Universal Server available to all current customers that resolves this problem and does not require system administrators to remove any shipping components post installation. Once the new version is available, RealNetworks will urge customer to upgrade.

We want to thank those who posted information about this problem on <>.


While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.

Legal Notice and Terms of Use

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A


  • <>
  • <>


This vulnerability is reported to have been discovered by Dave Aitel of Immunitysec.

This document was written by Jeffrey S Havrilla.

Other Information

CVE IDs: | None
Severity Metric:** | 14.21
Date Public:
| 2003-08-15
Date First Published: | 2003-08-29
Date Last Updated: | 2003-09-09 20:45 UTC
Document Revision: | 16