Vulnerability Development mailing list archives
Re: Reported Kazaa and Morpheus vulnerabilities
From: "Jackal" <-jackal- () libero it>
Date: Tue, 5 Feb 2002 12:39:22 +0100
----- Original Message ----- From: "Carlos Gaona" <cgaonau () hotmail com> To: "Vuln-Dev" <vuln-dev () securityfocus com> Cc: "HarryM" <harrym () the-group org> Sent: Monday, February 04, 2002 10:07 AM Subject: Reported Kazaa and Morpheus vulnerabilities ---- snip ---
As ar as i know there is no security threat compromising files beyond the ones that are already share. Once you download a file trough, the software detected and process it normaly.
There
isn't (as far as i know) anything like " ../ " path problems or unicode related... and i "think" a DoS is not probable.
---- snip ----
Carlos Gaona U. ndr113 () 350cc com
Create a DoS attack for Morpheus/Kazaa is quite simple. Infact only the connections made from other users with the same application can be regulated and detected from the client. Anonimous connections (directly at 1214/tcp port) cannot be detected even by most personal firewalls such Zone Alarm, 'cause Morpheus/Kazaa needs to be in totaly "Allowed zone" to open connections to outside sources. This "architecture" let us to flood this little web server with HTTP requests, in order to use all the available bandwidth and block Internet access on the target host. Each connection, infact, will generate a socket in "TIME_WAIT" status on 1214/tcp port (however visible with a simple NETSTAT command on the target host) that will cause the saturation of net resources. Some months ago, Paul Godfrey (PaulG () Crackdealer com) coded a Morpheus/Kazaa Denial of service in Perl... u can find it on Packetstorm site. Moreover, u can get a deeper knowledge of Morpheus/Kazaa architecture at: http://www.openp2p.com/pub/a/p2p/2001/07/02/morpheus.html?page=2 Kindly Regards, Stefano Mele aka The Jackal < -jackal- () libero it >
Current thread:
- RE: Reported Kazaa and Morpheus vulnerabilities, (continued)
- RE: Reported Kazaa and Morpheus vulnerabilities Colby Marks (Feb 07)
- Re: Reported Kazaa and Morpheus vulnerabilities tfm (Feb 04)
- RE: Reported Kazaa and Morpheus vulnerabilities leon (Feb 05)
- Re: Reported Kazaa and Morpheus vulnerabilities Arta (Feb 05)
- RE: Reported Kazaa and Morpheus vulnerabilities Sven Kamphuis (Feb 10)
- RE: Reported Kazaa and Morpheus vulnerabilities leon (Feb 05)
- Reported Kazaa and Morpheus vulnerabilities Carlos Gaona (Feb 03)
- Message not available
- Re: Reported Kazaa and Morpheus vulnerabilities Carlos Gaona (Feb 04)
- Message not available
- RE: Reported Kazaa and Morpheus vulnerabilities Condrey PFC David L (Feb 04)
- Re: Reported Kazaa and Morpheus vulnerabilities 'dreamwvr () dreamwvr com' (Feb 04)
- Re: Reported Kazaa and Morpheus vulnerabilities Blue Boar (Feb 04)
- Re: Reported Kazaa and Morpheus vulnerabilities Jackal (Feb 05)
- RE: Reported Kazaa and Morpheus vulnerabilities Mitch Watts (Feb 05)