RE: limewire cookie (among others) disclosure vuln

From: Ed Lopez (edlopeat_private)
Date: Tue Oct 02 2001 - 09:38:29 PDT

  • Next message: dullienat_private: "Re: .com"

    This is true, however LimeWire does ask at time of installation if it can
    search your harddrive for files to share.  I did not choose this feature
    when I tested LimeWire, but am now curious if LimeWire copies such files to
    the 'shared' folders (which I doubt), or does it flag those files (or heaven
    help us, folders) as sharable.  This may be the source of a directory
    traversal vuln.
    
    Ed
    
    -----Original Message-----
    From: leon [mailto:leonat_private]
    Sent: Monday, October 01, 2001 4:52 PM
    To: 'Steve Skoronski'
    Cc: vuln-devat_private
    Subject: RE: limewire cookie (among others) disclosure vuln
    
    
    Try searching for keen and watch all kinds of cookies come up.  By
    default it does not share the whole harddrive but it is a simple click
    of a mouse that gives the whole thing up.   I was thinking more along
    the lines of people dumping the same file.  Browse host rarely works.
    
    Hope that helps,
    
    Leon
    
    Ps:  I am saying most people tend to mis configure (ie share the whole
    harddrive) this is NOT the default behavior.  So no there is no
    directory traversal vuln.
    
    
    
    -----Original Message-----
    From: Steve Skoronski [mailto:skoronskiat_private]
    Sent: Monday, October 01, 2001 3:08 PM
    To: 'leon'
    Cc: 'vuln-devat_private'
    Subject: RE: limewire cookie (among others) disclosure vuln
    
    I fully agree that if someone was sharing their entire hard drive this
    would
    be a really bad thing in terms of ability to compromise the machine.
    
    I just installed limewire and it defaulted my shared directory to
    \limewire1.7\shared\
    
    Do you have a way of bypassing this? Some sort of directory traversal?
    
    I tried searching for things like 'rundll' and came up with lots! If the
    shared directory is default, are people manually changing this to C:\ ?!
    
    
    Also, not getting much luck using the 'browse host' function, it doesn't
    seem to return anything.
    
    Telneting directly to the host on TCP 6347 yielded nothing either.
    
    
    
    -----Original Message-----
    From: leon [mailto:leonat_private]
    Sent: Sunday, September 30, 2001 2:00 PM
    To: vuln-devat_private
    Subject: limewire cookie (among others) disclosure vuln
    
    
    Hi everyone,
    
    Aleph One suggested I post this here to get a more polished version for
    an advisory.  Here is what I have found and I am sure most of the people
    here can test this and develop it even further.  Limewire is a gnutella
    file sharing client.  Due to common misconfigurations by the user,
    people are sharing their whole harddrives.  This means you can do
    everything from downloading someone's quicken data file (quicken is a
    money management program) to downloading cookies off peoples hard
    drives.  Who cares about the cookies you say?  Well I have found cookies
    from certain sites that contains people user name & password stored in
    clear text.  I am sure with enough testing you could figure out a way to
    dump the sam file off an NT box or etc etc.
    
    
    Anyone who wants to run with this great I would just appreciate if you
    do further the research you let me know what you find.
    
    Cheers Vuln-Dev,
    
    Leon
    
    ps: sorry for screwing up the packet capture on the aol im 0-day post.
    



    This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 11:07:42 PDT