Vulnerability Development mailing list archives

Re: Napster a little insecure?

From: jpr5 () BOS BINDVIEW COM (Jordan Ritter)
Date: Fri, 28 Jan 2000 14:27:40 -0500


On Thu, 27 Jan 2000, Dennis Miller wrote:

# I'm running Napster v2.0 Build 1318 which is a freeware utility to
# share MP3's across the internet located at http://www.napster.com
# <http://www.napster.com> . Notice Napster sends the complete location
# of the file(s) being sent.  Does this mean that there is a way to coax
# the client to offer up ANY file?
#
# RECEIVED (on different query)
#     81 00 C9 00
#     "c:\WINDOWS\DESKTOP\mp3s\Nirvana-Lithium.mp3"
#         (32-byte checksum)
#         (size in bytes)
#         (bitrate in kbps)
#         (freq)
#         (duration in seconds)
#         (username)
#         (magic cookie - "643813570")
#         (line speed)
#     92 00 C9 00
#     "G:\Program Files\napster\Music\NIRVANA - Smells Like
#                 Teen Spirit.mp3"
#         (32-byte checksum)
#         ...
#     00 00 CA 00 00 00

You are not the first to ask this question, so I'll explain the reasoning
behind this.

Full filepaths are how we currently uniquely identify mp2/mp3 files.  We
could have used a file ID system whereby only the filename and an
associated ID were transmitted, but we decided that, in addition to the
filename, the path also constituted searchable text.  Your above example
doesn't demonstrate this, but the following will:

"G:\Program Files\napster\Music\NIRVANA\Smells Like Teen Spirit.mp3"

In any case, the answer to your question of whether other files can be
reached via the Napster client is a resounding "NO".

To begin with, the napster algorithm for adding files to your sharelist
requires that the file actually contain mpeg frame headers.  Even other
music formats are not sharable through Napster, unless they contain at
least this.  This file list is updated everytime you load the client
software.

Furthermore, when a request to download a file is received, that request
is matched against the current list of shared files, which as explained
before only contains mp2/mp3 files.  Think of a big strcmp() loop; if it
isn't in the list, you can't get it.

Could you be sneaky and stego other kinds of files with mpeg frame headers
into Napster?  Probably, but who in their right mind would bother?  The
answer was and still remains, No, you cannot download any files other than
those mp2/mp3's that you chose to share.

--jordan

Current thread:

Napster a little insecure? Dennis Miller (Jan 27)
- Re: Napster a little insecure? Gunes Sen (Jan 27)
- Re: Napster a little insecure? Jordan Ritter (Jan 28)
- IIS4.0 .htw vulnerability Fricke, Gregory D. (Jan 28)
- <Possible follow-ups>
- Re: Napster a little insecure? Thiago Mello (Jan 28)
  - Re: Napster a little insecure? Sebastian (Jan 29)
  - Re: Napster a little insecure? technot (Jan 29)
- Re: Napster a little insecure? Thomas Maschutznig (Jan 29)
  - Re: Napster a little insecure? Mark Shirley (Jan 30)
  - Re: Napster a little insecure? WHiTe VaMPiRe (Jan 30)
- Re: Napster a little insecure? Jordan Ritter (Jan 30)
- Re: Napster a little insecure? Maniac . (Jan 30)