Re: KaZaA + Morpheus sharing files

From: Stanley G. Bubrouski (stan@ccs.neu.edu)
Date: 08/01/01


Date: Wed, 1 Aug 2001 14:32:07 -0400 (EDT)
From: "Stanley G. Bubrouski" <stan@ccs.neu.edu>
To: "Hackemate.com.ar" <hackemate@softhome.net>
Subject: Re: KaZaA + Morpheus sharing files
Message-ID: <Pine.GSO.4.21.0108011406130.2006-100000@denali.ccs.neu.edu>


On Wed, 1 Aug 2001, Hackemate.com.ar wrote:

> They told me to repost it, so here it is
> That is not exactly a bug, anyway i think it can be used as a start
> to discover some huge security holes it has, here i send what i have
> been analyzing:
>
> When we install Morpheus or Kaaza, for the file sharing and searching,
> it opene sthe port 1214, but, here comes the impoortant thing, it

The webserver that runs on KaZaa clients on 1214 is no secret, it is how
KaZaa handles file transfers. You may notice if you use their website to
do a search the links are all to 1214 on people's machines, that is not a
problem. The only files listed are ones in shared folders and subdirs of
those shared folders.

> doesn´t administarte or control it, so here comes:
>

NOT TRUE.

If you go into preferences and remove a directory from the list of shared
directories the files in that directory will no longer be listed on the
built-in webserver.

> http://xxx.xxx.xxx.xxx:1214 (where xxx is the IP)

The webserver that runs on KaZaa clients on 1214 is no secret, it is how
KaZaa handles file transfers. You may notice if you use their website to
do a search the links are all to 1214 on people's machines, that is not a
problem. The only files listed are ones in shared folders and subdirs of
those shared folders.

>
> When you type that in your browser (all my tests have been made with
> IE 5.5), it shows you all the shared files of that user, users with it

Newer versions of KaZaa let you list all the files shared by a user, by
going to port 1214 you are getting the same list as if you had requested a
list of files from the user. This is intended behaviour.

> can be easily found witha simple port scanner. But appart from showing
> you the files, it lets you download them, but here comes another weird
> thing, the files are not linked directly to that folder, or with the
> sam name, if not that they have different names (with ++s) an dlinked
> into folders named with numbers. For example:
>

If you know what port the built in webserver runs on why would you need a
portscanner? To waste bandwith? Leave that to windows-based worms kid.

> http://24.232.8.xxx:1214
>
> Sting - All ThisTime (unplugged).mp3 5693985
> castaway(1of2).avi 261096960
> American Beauty (DVD Quality).avi 475150336
>
> But they are not linked like that, they are:
>
> http://24.232.8.x:1214/16206/Sting+-+All+ThisTime+%28unplugged%29.mp3
> instead of:
> http://24.232.8.x:1214/Sting+-+All+ThisTime+%28unplugged%29.mp3
>
> So, that shows us, that it orders them with subfolders and so, it
> would be something of time to discover how to make a directory scale,
> I have tested with http://xxx.xxx.xx.xxx:1214/..../ and with some
> unicode but it doesn t work, does anybody ahve an idea of cpould it be
> exploted?

The webserver that runs on KaZaa clients on 1214 is no secret, it is how
KaZaa handles file transfers. You may notice if you use their website to
do a search the links are all to 1214 on people's machines, that is not a
problem. The only files listed are ones in shared folders and subdirs of
those shared folders.

> The port 1214 is also vulnerable to a Nuke or Denial of Service attack
> and falls very easily.

Way to be vague. Care to elaborate a little? I've tried a number of DoS
attacks including extremely long requests, requests at frequent rates, and
played with the headers, send random data to the port and even tried
things involving shoving data from /dev/urandom at the port and it didn't
even flinch. If you know a DoS that works post it here so it can
investigated and fixed. it does no good if you say things like "I can DoS
the port." That tells nothing. We can't reproduce things if we are given
no information with which to base it on.

>
> I hope you keep on investigating this.

I disagree, the direction your investigating is going is all wrong. You
should start off by getting your facts strait, understanding the program,
and the protcols it uses and THEN look for weaknesses.

>
>
> Pablo Sabbatella
> KerozenE 1999-2001 c0oL!
> www.hackemate.com.ar
>
>

-Stan

--
Stan Bubrouski                                       stan@ccs.neu.edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284



Relevant Pages

  • [fw-wiz] Re: Blocking Kazaa
    ... deal with Kazaa, AIM, Yahoo IM, MS Messgener, Chat, etc. ... > TCP and UDP packets going to port 1214 and also, oddly enough, sourcing from ... > Organization: Network Penetration ... > I would love to hear if someone has a way to block it with a PIX. ...
    (Firewall-Wizards)
  • Re: Kazaa Block !
    ... >> security breach, but worse, it is a blatant abuse of work computers. ... >> If this is a home LAN, and these are your children, ground them first, ... >> block KaZaA from their computers, ... > goes over port 80. ...
    (comp.security.firewalls)
  • Re: Kazaa Block !
    ... >>> security breach, but worse, it is a blatant abuse of work computers. ... >> goes over port 80. ... >> to a kazaa server and then to the other client to ... >> bad guy by uninstalling software and talking to boss. ...
    (comp.security.firewalls)
  • Re: Kazaa Block !
    ... >>> which says that if the client can not connect on the specific port, ... >>> Even if i uninstall the software, even if i tell it to my boss nothing ... >>> bad guy by uninstalling software and talking to boss. ... >> Kazaa and other things. ...
    (comp.security.firewalls)
  • RE: Stopping File Sharing Programs...
    ... Make it corporate policy that these programs are not permitted ... application layer firewalls will not actually block these guys over port 80. ... then when your IDS sees a user using one of the ... Kazaa by blocking the port 1214. ...
    (Security-Basics)