[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: LimeWire Gnutella client two vulnerabilities
From: Kevin Walsh <kwalsh () cs ! cornell ! edu>
Date: 2005-03-14 18:21:22
Message-ID: 20050315011240.23783.qmail () www ! securityfocus ! com
[Download RAW message or body]
Summary:
Recent versions of the LimeWire client contain vulnerabilities that allow a remote \
user access to many or all files on a users machine. LimeWire is a popular client for \
the Gnutella filesharing network.
Vulnerability 1 - Inappropriate Handling of "resource get" requests.
Symptom:A remote attacker can request and read any file on a host running an affected \
version of LimeWire. Gnutella "push style" requests also vulnerable under most \
conditions, and therefore a local firewall does not prevent the attack. The files \
accessible to a remote attacker include all of the user's private, local files, and \
any file on the machine if the user has administrator privileges, a common scenario \
in Windows.
Versions affected: LimeWire versions 4.1.2 - 4.5.6, inclusive.
Details: The handling of "resource get" requests is the immediate cause of the \
problem. A request of the form "/gnutella/res/[filename]" returns the named file. For \
example, one can telnet to a LimeWire client using the default LimeWire port and type \
the following text:
GET /gnutella/res/C:\Windows\win.ini HTTP/1.1
User-Agent: I-AM-AN-ATTACKER/1.0
Host: 0.0.0.0:0
Accept: */*
Connection: Keep-Alive
The result is that the LimeWire client reads the file "C:\Windows\win.ini" and sends \
it over the network. Similarly, the attacker may request "/gnutella/res//etc/passwd" \
on Linux or unix-based machines. This attack has been tested and confirmed on Linux \
and Windows 2000 platforms.
Remedies: This problem has been fixed in the recently released LimeWire versions \
4.6.0 and later, which were released promptly by Lime Wire LLC after we informed them \
of the vulnerability.
Vulnerability 02 - Inappropriate Handling of "magnet" requests.
Symptom:A remote attacker can request and read any file on a host running an affected \
version of LimeWire. The attacker need only be able to connect to the LimeWire client \
"magnet" TCP port (default port, or a port chosen from a modest range if default is \
not available). Gnutella "push style" requests are not vulnerable, so a firewall that \
blocks access to the magnet port blocks the attack. The files accessible to a remote \
attacker include all of the user's private, local files, and any file on the machine \
if the user has administrator privileges.
Versions affected: LimeWire versions 3.9.6 - 4.6.0, inclusive.
Details: Details: The handling of "magnet" requests is the immediate cause of the \
problem. A request of the form "/magnet10/[rel-filename]" returns the named file, \
relative to the "root" subdirectory of the LimeWire installation, regardless of if it \
is in the "root" directory, or indeed even part of the Limewire package. For example, \
one can telnet to a LimeWire client and issue an HTTP request “GET \
/magnet10/../../../../../Windows/Win.ini?Simple-test”
This example assumes that LimeWire is installed in its default installation \
directory. The result is that the LimeWire client reads the file "C:\Windows\win.ini" \
and sends it over the network. Similarly attacks work on Linux or unix-based \
machines. The attack has been tested and confirmed on Linux and Windows 2000 \
platforms, using several versions of LimeWire.
Remedies: This problem has been fixed in the recently released LimeWire versions \
4.8.0 and later, which were released promptly by Lime Wire LLC after we informed them \
of the vulnerability.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic