The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com SUMMARY <http://www.bearshare.com/> BearShare is a Windows file sharing program from Free Peers, Inc. that lets you, your friends, and everyone in the world share files. A serious security vulnerability in the product allows remote attackers to download any file on the local disk, even if it hasn't been added to the shared list. DETAILS Vulnerable systems: BearShare 2.2.2 and prior (Windows 95/98/ME) with its Web Site feature enabled Immune systems: BearShare 2.2.3 and above (Windows 95/98/ME) BearShare running under Windows NT/2000 BearShare with its Web Site feature disabled A security vulnerability in BearShare allows remote attackers to access files that reside outside the upload root provided by BearShare. This would allow a remote attacker to download any file without restrictions. The vulnerability resides in their BearShare's Web Site feature. BearShare has provided protection against the classic dotdot ('..') attack, but they did insufficient filtering, and thus it is possible to chain together a large amount of dots bypassing the standard protection. This attack does not seem to work against Windows 2000 machines, and also not all file types can be downloaded (for example, .avi and .mpg files will not be downloaded). The vendor has not provided information about which platforms are vulnerable and which file types can be downloaded. Example: http://vulnerable:6346/........../windows/win.ini This would download the win.ini file from the windows directory. Solution: Vendor has released a new version that fixes this problem. Users are encouraged to download and install it as soon as possible. Workaround: Disabling BearShare's Web Site feature would prevent this vulnerability from happening and is generally recommended. Vendor response: Free Peers, Inc have responded by releasing a new version of the product, but ignored our request for more information about the vulnerability and its impact. In addition, they did not bother to notify us about the release of the new version, all this when we were waiting for their comments before releasing this advisory. ADDITIONAL INFORMATION This security hole was discovered by <mailto:gluckninjaat_private> Gluck Ninja. The information has been provided by <mailto:expertsat_private> SecuriTeam Experts. ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 09:46:15 PDT