On Wed, 1 Aug 2001, Hackemate.com.ar wrote: > They told me to repost it, so here it is > That is not exactly a bug, anyway i think it can be used as a start > to discover some huge security holes it has, here i send what i have > been analyzing: > > When we install Morpheus or Kaaza, for the file sharing and searching, > it opene sthe port 1214, but, here comes the impoortant thing, it The webserver that runs on KaZaa clients on 1214 is no secret, it is how KaZaa handles file transfers. You may notice if you use their website to do a search the links are all to 1214 on people's machines, that is not a problem. The only files listed are ones in shared folders and subdirs of those shared folders. > doesn´t administarte or control it, so here comes: > NOT TRUE. If you go into preferences and remove a directory from the list of shared directories the files in that directory will no longer be listed on the built-in webserver. > http://xxx.xxx.xxx.xxx:1214 (where xxx is the IP) The webserver that runs on KaZaa clients on 1214 is no secret, it is how KaZaa handles file transfers. You may notice if you use their website to do a search the links are all to 1214 on people's machines, that is not a problem. The only files listed are ones in shared folders and subdirs of those shared folders. > > When you type that in your browser (all my tests have been made with > IE 5.5), it shows you all the shared files of that user, users with it Newer versions of KaZaa let you list all the files shared by a user, by going to port 1214 you are getting the same list as if you had requested a list of files from the user. This is intended behaviour. > can be easily found witha simple port scanner. But appart from showing > you the files, it lets you download them, but here comes another weird > thing, the files are not linked directly to that folder, or with the > sam name, if not that they have different names (with ++s) an dlinked > into folders named with numbers. For example: > If you know what port the built in webserver runs on why would you need a portscanner? To waste bandwith? Leave that to windows-based worms kid. > http://24.232.8.xxx:1214 > > Sting - All ThisTime (unplugged).mp3 5693985 > castaway(1of2).avi 261096960 > American Beauty (DVD Quality).avi 475150336 > > But they are not linked like that, they are: > > http://24.232.8.x:1214/16206/Sting+-+All+ThisTime+%28unplugged%29.mp3 > instead of: > http://24.232.8.x:1214/Sting+-+All+ThisTime+%28unplugged%29.mp3 > > So, that shows us, that it orders them with subfolders and so, it > would be something of time to discover how to make a directory scale, > I have tested with http://xxx.xxx.xx.xxx:1214/..../ and with some > unicode but it doesn t work, does anybody ahve an idea of cpould it be > exploted? The webserver that runs on KaZaa clients on 1214 is no secret, it is how KaZaa handles file transfers. You may notice if you use their website to do a search the links are all to 1214 on people's machines, that is not a problem. The only files listed are ones in shared folders and subdirs of those shared folders. > The port 1214 is also vulnerable to a Nuke or Denial of Service attack > and falls very easily. Way to be vague. Care to elaborate a little? I've tried a number of DoS attacks including extremely long requests, requests at frequent rates, and played with the headers, send random data to the port and even tried things involving shoving data from /dev/urandom at the port and it didn't even flinch. If you know a DoS that works post it here so it can investigated and fixed. it does no good if you say things like "I can DoS the port." That tells nothing. We can't reproduce things if we are given no information with which to base it on. > > I hope you keep on investigating this. I disagree, the direction your investigating is going is all wrong. You should start off by getting your facts strait, understanding the program, and the protcols it uses and THEN look for weaknesses. > > > Pablo Sabbatella > KerozenE 1999-2001 c0oL! > www.hackemate.com.ar > > -Stan -- Stan Bubrouski stanat_private 23 Westmoreland Road, Hingham, MA 02043 Cell: (617) 835-3284
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 11:41:10 PDT