Thanks for the information about Kazaa, and you're completly right with the posibilty of a DoS attack -i don't know were my head was this morning- because this little webservers are extremely vulnerable to security treats and shouldn't be implemented at least as a "good-practice". In practice, and related of waht you said, Kazaa don't block file downloading request directly trough http even if there is set a limit on uploads conections on Trafic Settings... what does limit the anonymous connections is to restrict the bandwith on Advanced Settings... Carlos Gaona U. ----- Original Message ----- From: "Jackal" <-jackal-@libero.it> To: "Carlos Gaona" <cgaonauat_private> Sent: Monday, February 04, 2002 12:35 PM Subject: Re: Reported Kazaa and Morpheus vulnerabilities > ----- Original Message ----- > From: "Carlos Gaona" <cgaonauat_private> > To: "Vuln-Dev" <vuln-devat_private> > Cc: "HarryM" <harrym@the-group.org> > Sent: Monday, February 04, 2002 10:07 AM > Subject: Reported Kazaa and Morpheus vulnerabilities > > ---- snip --- > > As ar as i know there is no security > > threat compromising files beyond the ones that are already share. Once you > > download a file trough, the software detected and process it normaly. > There > > isn't (as far as i know) anything like " ../ " path problems or unicode > > related... and i "think" a DoS is not probable. > ---- snip ---- > > > > Carlos Gaona U. > > ndr113at_private > > > Create a DoS attack for Morpheus/Kazaa is quite simple. > Infact only the connections made from other users with > the same application can be regulated and detected from > the client. > Anonimous connections (directly at 1214/tcp port) > cannot be detected even by most personal firewalls > such Zone Alarm, 'cause Morpheus/Kazaa needs to > be in totaly "Allowed zone" to open connections to > outside sources. > This "architecture" let us to flood this little web server > with HTTP requests, in order to use all the available > bandwidth and block Internet access on the target host. > Each connection, infact, will generate a socket in > "TIME_WAIT" status on 1214/tcp port (however visible > with a simple NETSTAT command on the target host) > that will cause the saturation of net resources. > Some months ago, Paul Godfrey (PaulGat_private) > coded a Morpheus/Kazaa Denial of service in Perl... > u can find it on Packetstorm site. > Moreover, u can get a deeper knowledge of Morpheus/Kazaa > architecture at: > http://www.openp2p.com/pub/a/p2p/2001/07/02/morpheus.html?page=2 > Kindly Regards, > > > Stefano Mele aka The Jackal > < -jackal-@libero.it > > >
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 11:17:52 PST