Security Hole in Morpheus

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)

here is how to do it

[DanThe1Man]

for thouse sript kiddies out there that want to exploit, here is how to do it.

http://users.pandora.be/lechat/Morpheus%20Exploi t. htm

Re:here is how to do it

[stinky+wizzleteats]

Here's the details on what exactly the vulnerability is

Basically, the assertion that one could gain access to the whole hard drive is false. Looks like a FUD attack on file sharing to me.

Re:here is how to do it

[ncc74656]

for thouse sript kiddies out there that want to exploit, here is how to do it.

http://users.pandora.be/lechat/Morpheus%20Exploit. htm

I tried that against a machine running Morpheus, and the only files that were listed were files in directories that I had told Morpheus to share. IOW, the only files made available via HTTP are the same files made available via FastTrack's protocol. Would someone like to explain to me how this constitutes a security hole? IIRC, this feature of Morpheus is documented (don't recall if it can be switched off).

FWIW, the machine running Morpheus is behind a firewall...HTTP access to it gets blocked anyway. (The little bit of testing I did was from another machine on the LAN.)

Uhh

[HeavensTrash]

If this 'hack' is involving connecting to someone's ip via your web browser on port 1214, this is hardly a hack. It just shows the files listed in their already 'Shared Folder', no more no less.

Oh please...

[khaladan]

You mean not much of a fuss, aside from the 555 posts attached to Wu-ftpd Remote Root Hole, right?

how to protect yourself

[DanThe1Man]

Since the exploit needs the person to be downloading a file to get in, you can protect yourself by turning off downloads. Do this by going into Tools->options->Traffic and click on Disable sharing of files. This will protect you.

Re:how to protect yourself

[Herr_Nightingale]

hey buddy in case you didn't notice (and I know you didn't 'cuz I read your post) there IS no exploit - unless you consider allowing access to EXPLICITLY SHARED FILES with a FILE_SHARING app to be a security hole.
The REAL protection is to unshare any folders that shouldn't be accessible to the public. Simple, sweet, and common sense. The only way that your private files will be shared in a default installation of Morpheus/FastTrack client is if they are saved to the (newly created) directory.
Think about it. Read the BBC article. Then try to genuinely *HACK* Morpheus, and if you are successful in your mission I will eat my words with relish.
Sorry for tone of post, but it needed to be said.

Ermm, its actually a bit worse than some think..

[Toodles]

If you are the kind that thinks 'Oh shucks, no big deal', think again.

If this is any kind of domain controller, remember that your SAM file can be downloaded, and if your system has microsoft network file sharing open or is running any part of the IIS suite, your as good as hacked. It can be downloaded and brute hacked with L0pht crack.

If you run any of the popular online games such as Quake 3 arena or Return to Castle Wolfenstein, your cd key is stored in plain text. All of a sudden you can't play because it is in use by '3l33t hax0r' 24x7. Other games such as Starcraft and HalfLife keep the key in the registry, which is also accessible. (see above)

Any kind of online login is vulnerable. These h4x0rz can use your sign in to Amazon.com and "One Click" a library to their address with your credit card. Your online porn accounts, your SSH and PGP private key, the list goes on.

And lets not forget those pictures of your wife you took with the new digital camera in your bedroom.

Toodles, who thinks its funny that people feel this is an insignificant security hole, and that the hole in XP was a threat to all mankind.

Not A Hack

[Muerte23]

this is not a "hack" or even a "security exploit". it only lets people see what files you have already specifically already shared!

just HTTP to the person's port 1214 and morpheus (or Kazaa or whatever FastTrack client i suppose) gives you a list of shared files.

THERE IS NO DANGER FROM THIS "EXPLOIT"

i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. you could also add port 139 to scan WFW shares while you are at it. you could create your own FastTrack "supernode" with this method, if you were really inclined.

when i read the story header i thought that it meant that any file on my hard drive was accessible via some nimda/codeRed type exploit. this is not the case.

VERDICT: story not worth posting.

Muerte

Re:Not A Hack

[skt]

I don't really understand why people keep saying this. The BBC article doesn't mention anything about the http server built into morpheus clients. It says:

Using the Morpheus program, they found a way of getting a random list of people using the service. They could then obtain details of the content of a user's hard drive and make copies of any file. "We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

If you were referring to the 'exploit' someone posted earlier about pointing a web browser at a node, then that obviously isn't any kind of exploit. However, the issue they mention in the article sounds very different.. the article even mentions a worm.. They also say that not all users are affected, the issue you describe would affect everyone (assuming no firewall that blocks connections to 1214).

Re:Not A Hack

[ncc74656]

Using the Morpheus program, they found a way of getting a random list of people using the service.

Search for something with Morpheus and it'll come back with a list of hosts that have it. If it communicates with those hosts directly, you can get their IPs with netstat -n.

They could then obtain details of the content of a user's hard drive and make copies of any file.

Morpheus has an option within the program that does this...you can select one of the search results and tell Morpheus to go looking for whatever else that user has shared. You can download any available file through the Morpheus interface or from the HTTP server that the remote Morpheus puts up on port 1214.

"We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

How about "some dumbshit's stupid enough to tell Morpheus to share C:\ and everything underneath it"?

The story is either a hoax or is FUD of some sort. You wouldn't think the Beeb would screw up this badly, but nobody's perfect.

Re:ARTICLE IS FALSE

[illusion_2K]

Quite right.

In fact, this stuff has been known about for quite some time now. A quick search of Bugtraq came up with this message. It basically says that Fasttrack based clients have a built-in http server. Big deal.

This sounds more like a misconfiguration issue in the sense that people may be sharing entire harddrives. But until this is discussed and verified in some sort of forum like Bugtraq I wouldn't believe it.

morpheus == kazaa

[motox]

it's the same identical client, just the name is changed. even the tempfiles are created as kaz**

Re:Good

I used it for a few days but then it stated (sic) generating kazaa files.

Perhaps you're talking about the filenames for partial downloads? You do realize that morpheus and kazaa share a p2p system, don't you? Oh, wait; you don't the first fucking clue. Sorry I asked.

EXPLOIT? Don't think so...

[hyrdra]

I've known about this so-called exploit for months. I often use it to quickly check to see if a specific user has any files shared, and what files they are. Basically, its the same as a Bearshare or Limeware HTTP server listing shared files and providing links to donwload.

This comes from the fact that the FastTrack protocol transfers and requests files via the HTTP protocol, thus any HTTP speaking application (such as a web browser) should be able to do the same as a Morpheus client, which is really only a fancy web browser.

In fact, the OpenFTP has a program which does in fact scan IP address ranges from the 1214 port number, indexes the files, and then provides these for searching on the OpenFT network. They even have a memory-dump function which dumps the entire memory block of the Linux KazAa client kza (no longer available), and searches for IP addresses to index.

I would question the so-called 'group' the BBC contacted. It's either an ultra-liberal doomsday security group like that of Steve Gibson or is a very good (?) attempt by the RIAA to scare people off the FT network, which now has peaked at over 700,000 connected nodes.

But as for a security threat, there is no concern. The only files accessible on the internal web server are those which have been specifically selected to be shared, and a dynamic wwwroot is then generated based on selected directories (usually just My Shared Files).

important to support giFTproject

[CptnHarlock]

*sigh* ... I've tried to submit giFT related stories several times and gotten rejected all the time. Seems almost as if /. editors would rather have stories about bitching over KaZaA/Morpheus than helping make an important alternative project more well known and supported. The result of this can clearly be seen in this answer to your post further down.

If you are tired of bitching and want to do something about it then get invovlved.

Cheers...

Kazaa makes files world-readable if ....

[Reziac]

... you have filenames present that contain high ASCII characters. I have personally observed this on many occasions, just by way of using the old Kazaa websearch to locate files on shared drives. Go to the host IP address to see what else was available from that host, and sometimes not only the MP3s offered, but also every single file on the HD was visible and readable.

The common factor observed in ALL cases was ANY file present with high ASCII in the filename. (I'd guess mostly or entirely on Win32 systems using an Oriental character set, judging by the MP3s present.)

Note: I do not have Kazaa installed myself, nor any of its kin. I was viewing these unexpectedly available files with plain old Netscape 3.

There were complaints about similar events on the Kazaa "report bugs" forum. (After reading that forum for a while, no way in hell would I install the Kazaa client -- since it also had a habit of randomly wiping out files on some systems.)

Anyway, it wouldn't surprise me at all if Morpheus has a similar bug.

Already done

[AirLace]

This security 'hole' has been exploited since the middle of last year by the Free Software giFT project.
Although the project's primary goal is to provide a Free alternative to the FastTrack network, giFT includes a tool that scans arbitrary IP address ranges on port 1214 and indexes the results, offering the discovered files through either an http or Gtk+ interface. It's a waste of bandwidth, but some would argue that it gets the work done.
I hope people support giFT in creating a secure, Free Sofware alternative to FastTrack. All these stories of spyware and root holes (even if unsubstantiated) are quite disturbing.