From vnulllists@pcnet.com.pl Mon Jul 18 15:50:35 2005 From: Jakub Wartak To: legal@lists.gpl-violations.org Subject: Planet BM-500 GPL violation Date: Mon, 18 Jul 2005 15:50:35 +0200 User-Agent: KMail/1.7.2 Cc: vnulllists@pcnet.com.pl X-KMail-Identity: 101715618 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200507181550.36499.vnulllists@pcnet.com.pl> Status: RO X-Status: RS X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Hello list, I found a rather big GPL violation in Planet BM-500. This device has some bandwidth shaping capabalilibites along with NAT/filtering, and seems to be pretty popular in (very) small networks. You can find more info on http://www.planet.com.tw. Fact #1: search for "GPL" keyword on their site returns nothing. Fact #2: mail was sent on 09/07/2005 to "support@planet.com.pl" asking if they offer source code ( I didn't pointed that i know that device is running Linux and other GPLed code ). No reply up to today. Fact #3: they haven't just taken pure kernel, they *modified* some Netfilter modules, but they haven't released them. Tech info: xeno:/home/vnull/planet/how# ls FW-BM500_212.zip gz_extract.c gzrt-0.3.tar.gz xeno:/home/vnull/planet/how# unzip FW-BM500_212.zip Archive: FW-BM500_212.zip inflating: FW-BM500_212.img inflating: FR-BM500_212.txt xeno:/home/vnull/planet/how# gcc -O3 gz_extract.c -o gz_extract xeno:/home/vnull/planet/how# ./gz_extract FW-BM500_212.img Scanning FW-BM500_212.img Extracted 5620702 bytes to extract-1-1.gz xeno:/home/vnull/planet/how# tar xzf gzrt-0.3.tar.gz xeno:/home/vnull/planet/how# cd gzrt-0.3 xeno:/home/vnull/planet/how/gzrt-0.3# make cc -o gzrecover -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 gzrecover.c -lz gzrecover.c: In function `open_outfile': gzrecover.c:89: warning: passing arg 2 of `check_error' makes integer from pointer without a cast gzrecover.c:91: warning: passing arg 2 of `check_error' makes integer from pointer without a cast gzrecover.c: In function `main': gzrecover.c:226: warning: passing arg 2 of `check_error' makes integer from pointer without a cast gzrecover.c:234: warning: passing arg 2 of `check_error' makes integer from pointer without a cast xeno:/home/vnull/planet/how/gzrt-0.3# xeno:/home/vnull/planet/how/gzrt-0.3# cp gzrecover .. xeno:/home/vnull/planet/how/gzrt-0.3# cd .. xeno:/home/vnull/planet/how# ./gzrecover extract-1-1.gz xeno:/home/vnull/planet/how# file extract-1-1.recovered extract-1-1.recovered: ELF 32-bit LSB MIPS-I executable, MIPS, version 1 (SYSV), statically linked, stripped xeno:/home/vnull/planet/how# strings extract-1-1.recovered > s xeno:/home/vnull/planet/how# egrep -i linux s | grep -v include TERM=linux Linux version 2.4.18-mips (root@CVS4) (gcc version 2.95.3 20010315 (release)) #1529 Wed Jun 23 22:20:39 CST 2004 Linux vmlinux root=/dev/mtdblock4 console=ttyS0 rw single init=/linuxrc <6>Linux NET4.0 for Linux 2.4 <6>NET4: Linux TCP/IP 1.0 for NET4.0 <6>Linux IP multicast router 0.06 plus PIM-SM Linux FreeS/WAN super-freeswan-1.99.8.1rc2 <6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. Linux xeno:/home/vnull/planet/how# egrep -i netfilter s ip_tables: (c)2000 Netfilter core team But the real interesting part is linking directly into kernel their own Netfilter modules ( siplimit & vipmark ). The more interesting is that, the siplimit module is probbably just hacked iplimit ( currently it is called connlimit ), while vipmark is hacked ipmark. ...After some more investigation ( notice the "-a" switch ): xeno:/home/vnull/planet/how# strings -a extract-1-1.recovered > s xeno:/home/vnull/planet/how# grep -i siplimit s Call rusty: overflow in ipt_siplimit: %u/%u siplimit iptables -t mangle -A %s -p %s -m siplimit --limit %s/s --limit-burst %s --limit-timeout %s -j RETURN xeno:/home/vnull/planet/how# grep -i vipmark s | tail -10 /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 -j VIPMARK --set-mark 0x%llx /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 --dport %s -j VIPMARK --set-mark 0x%llx /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 --dport %s:%s -j VIPMARK --set-mark 0x%llx -m vipmark --mark 0x%llx/0xffffffffffffffff /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 --dport %s:%s -j VIPMARK --set-mark 0x%llx /sbin/iptables -t nat %s premip -d %s/32 -j VIPMARK --set-mark 0x%lx /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 -j VIPMARK --set-mark 0x%llx /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 --dport %s -j VIPMARK --set-mark 0x%llx /sbin/iptables -t nat %s previp%d_%s -p %s -d %s/32 --dport %s:%s -j VIPMARK --set-mark 0x%llx /sbin/iptables -t nat %s premip -d %s/32 -j VIPMARK --set-mark 0x%lx Currently i don't have time to find offset of the filesystem in the image ( kernel seems to have CRAMFS, EXT2, MINIX filesystems compiled in, it should be easy to find signatures [ from magic(5) ] for these filesystems in the image ). It appears that this image also contains signatures for DNSMasq and other linux embedded stuff ( mainly busybox && libc ). Vendor was not notified about breaking GPL. -- Jakub Wartak -vnull FreeBSD/OpenBSD/Linux/Network Administrator