RE: Reported Kazaa and Morpheus vulnerabilities

[Condrey PFC David L <CondreyDL () 3mawcpen usmc mil>]

Kazaa is vulnerable in the fact that the average user has not noticed their
basic configuration settings.  The program is built normally to allow only
sharing of a single folder "My Shared Folder".  Somehow or another people
are seeming to go along when they setup Kazaa on their computer allowing it
to access everything.

Either way it doesn't really matter.  The only way I see this classifying as
a bug is if it could some way become exploitable to unknowingly upload
something to the suspects harddrive.  Just viewing doesn't really matter,
that's what Kazaa was created for, this just shows another occasion of
average user stupidity.

David Condrey

-----Original Message-----
From: Stanley G. Bubrouski [mailto:stan () ccs neu edu] 
Sent: Monday, February 04, 2002 5:25 AM
To: HarryM
Cc: vuln-dev () securityfocus com
Subject: Re: Reported Kazaa and Morpheus vulnerabilities

Back this fall or summer the same topic was discussed and I thought myself
and others did a job explaining the difference between a feature and a
bug.  Kazaa and Morpheus use port 1214 to share files, it's how they
work...  I.E. being able to browse port 1214 is a FEATURE NOT A BUG.

Think about it.  That search they have/had on kazaa.com, when you ran a
search it would give you HTTP links to hosts on port 1214, so its not like
it was some big secret, it's meant to be this way.

And in regards to security, to my knowledge no audit or major testing has
been done to my knowledge by anyone in the security community on Kazaa
and/or Morpheus, but I did try several approaches back in the fall and
came up empty.  I don't remember exactly what I tried but here is the gist
of it:

Long HTTP/1.0 and HTTP/1.1 requests.
Long HTTP/1.0 URLS
Unicode Exploits
Long Host: header
Multiple long Host: headers
".." and "..." exploits
cat /dev/urandom | nc wintest 1214 (x10)
Flooding HTTP requests


And none of them worked. Like I said though it was months ago and kazaa
has had several versions since then and added new features so nothing is
certain as usual.

Regards,

Stan

PS. Pats won the superbowl, Boston was rockin' last night :)

--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284


On Mon, 4 Feb 2002, HarryM wrote:

> > Well, I think that's what the original poster was getting at.  Anyone
> > here tried the usual .. bugs and so on?  (Either successfully or not,
> > we'd like to know.)
>
> Exactly. The BBC article claims that someone has, but there's no mention
of
> it on CERT or Securityfocus. I mean obviously if there is one it may not
> have been posted about.. But I thought someone might have heard something.
> Certainly simple things such as appending /../ or /..../ to the end of the
> url don't work, but those funky numeric folder names must mean something.
>
> Harry M