Re: KaZaA + Morpheus sharing files

["Stanley G. Bubrouski" <stan () ccs neu edu>]

On Wed, 1 Aug 2001, Hackemate.com.ar wrote:

> They told me to repost it, so here it is
> That is not exactly a bug, anyway i think it can be used as a start
> to discover some huge security holes it has, here i send what i have
> been analyzing:
>
> When we install Morpheus or Kaaza, for the file sharing and searching,
> it opene sthe port 1214, but, here comes the impoortant thing, it


The webserver that runs on KaZaa clients on 1214 is no secret, it is how 
KaZaa handles file transfers.  You may notice if you use their website to
do a search the links are all to 1214 on people's machines, that is not a
problem.  The only files listed are ones in shared folders and subdirs of
those shared folders.

> doesn?t administarte or control it, so here comes:

NOT TRUE.

If you go into preferences and remove a directory from the list of shared
directories the files in that directory will no longer be listed on the
built-in webserver.


> Http://xxx.xxx.xxx.xxx:1214      (where xxx is the IP)


The webserver that runs on KaZaa clients on 1214 is no secret, it is how  
KaZaa handles file transfers.  You may notice if you use their website to
do a search the links are all to 1214 on people's machines, that is not a  
problem.  The only files listed are ones in shared folders and subdirs of
those shared folders. 


> When you type that in your browser (all my tests have been made with
> IE 5.5), it shows you all the shared files of that user, users with it


Newer versions of KaZaa let you list all the files shared by a user, by   
going to port 1214 you are getting the same list as if you had requested a
list of files from the user.  This is intended behaviour.


> can be easily found witha simple port scanner. But appart from showing
> you the files, it lets you download them, but here comes another weird
> thing, the files are not linked directly to that folder, or with the
> sam name, if not that they have different names (with ++s) an dlinked
> into folders named with numbers. For example:

If you know what port the built in webserver runs on why would you need a
portscanner?  To waste bandwith?  Leave that to windows-based worms kid.

> http://24.232.8.xxx:1214
>
> Sting - All ThisTime (unplugged).mp3   5693985
> castaway(1of2).avi                     261096960
> American Beauty (DVD Quality).avi      475150336
>
> But they are not linked like that, they are:
>
> http://24.232.8.x:1214/16206/Sting+-+All+ThisTime+%28unplugged%29.mp3
> instead of:
> http://24.232.8.x:1214/Sting+-+All+ThisTime+%28unplugged%29.mp3
>
> So, that shows us, that it orders them with subfolders and so, it
> would be something of time to discover how to make a directory scale,
> I have tested with Http://xxx.xxx.xx.xxx:1214/..../ and with some
> unicode but it doesn t work, does anybody ahve an idea of cpould it be
> exploted?

The webserver that runs on KaZaa clients on 1214 is no secret, it is how 
KaZaa handles file transfers.  You may notice if you use their website to
do a search the links are all to 1214 on people's machines, that is not a
problem.  The only files listed are ones in shared folders and subdirs of
those shared folders.

> The port 1214 is also vulnerable to a Nuke or Denial of Service attack
> and falls very easily.

Way to be vague.  Care to elaborate a little? I've tried a number of DoS
attacks including extremely long requests, requests at frequent rates, and
played with the headers, send random data to the port and even tried
things involving shoving data from /dev/urandom at the port and it didn't
even flinch.  If you know a DoS that works post it here so it can
investigated and fixed.  it does no good if you say things like "I can DoS
the port."  That tells nothing.  We can't reproduce things if we are given
no information with which to base it on.

> I hope you keep on investigating this.

I disagree, the direction your investigating is going is all wrong.  You
should start off by getting your facts strait, understanding the program,
and the protcols it uses and THEN look for weaknesses.

> Pablo Sabbatella
> KerozenE 1999-2001 c0oL!
> www.hackemate.com.ar

-Stan

--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284