Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole in Morpheus

Posted by CmdrTaco on from the your-hard-drive-is-an-open-book dept.

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)

5 of 264 comments (clear)

  1. ARTICLE IS FALSE by Calle+Ballz · · Score: 5, Interesting

    Whoever these "hackers" didn't fully research before they decided to stroke their own egos and create a scare. I just tested this remotely (yes, on some stranger) and on my own local machine. My findings? You have access to EVERYTHING IN THE FOLDER THEY HAVE SPECIFICALLY SHARED OUT! Yes, you can download through your web browser what you could have downloaded already through Morpheus/Kazaa. Not a worthy exploit in my book, calm down everyone.

    1. Re:ARTICLE IS FALSE by Calle+Ballz · · Score: 3, Interesting

      Yes. I did. Because at first it seemed to easy, and I figured there was a missing catch. Go ahead, load morpheus on your box, and put in your browser http://127.0.0.1:1214

      Try every combination of things you could possibly do to transverse the shared folder. I didn't find a way, maybe I did miss something but I think a bunch of 12 year old wanna-be hackers thought they stumbled onto something when really they found a window in the front door.

  2. Are they sure the people didn't do it themselves? by sam_handelman · · Score: 4, Interesting

    This story seems a little short on details, and in Kazaa - which runs on the same proprietary engine and, I assume, would be vulnerable to the same worms as Morpheus (of course, closed source => I don't know) - you can just check the box next to your hard drive and share all of its contents. Are they certain that the people they've found didn't do that? That said, maybe Kazaa can't get the worm, if there is one, but when I turn sharing off, my friend can't get any files from my computer (just checked now, he's on the phone) at all; if you're worried, have a friend query your username and see what they can get.

    My inner paranoid, who left the fetal position to read the RIAA thread, thinks this is a music industry plot. I want to say that that is totally preposterous, but after they asked for legislation to make it legal for them to hack our hard drives, I can't totally dispel the suspicion.

    --
    The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
  3. Yeah, HTTP on a different port ... by LoudMusic · · Score: 4, Interesting

    I realize this is the same thing that everyone else is saying, but it's just HTTP (a protocal ...) on a different port. Woop-dee-doo. Have any of you watched Morpheus traffic on a firewall, though? It's rather amusing how close they got to being completely oblivious to a casual sys admin like myself. The client appears to change mp3 file names to .jpg, and send them as http requests on a different port. If they had put it on port 80 I probably wouldn't have caught it 'back in the day'.

    If you really want to make a 'hidden service', you'd make the client break the files up into smaller packages (much like warez RARs), name them random files from the Internet Cache folder, send them on port 80, include a file that tells the receiving end how to put them back together, and you'd be set. It would just look like someone was browsing the Internet. It would be four megabytes worth of webdata ... but I've been known to pull that much webdata from a website before. And if you really want to get hardcore (for the hardcore content checking firewalls) you could change the header information in the files so that they appeared as jpgs, or html files. Super shneeky.

    ~LoudMusic

    --
    No sig for you. YOU GET NO SIG!
  4. A Worm??? by crisco · · Score: 3, Interesting
    "It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."

    A worm???

    Like Code Red? Or NIMDA?

    This sounds like some crack addled reporters posing as computer hackers.

    Scenario 1: There is a hole and it will be confirmed through trustworthy channels. It is a buffer overflow or http path traversal problem. The reporters or editors got confused when the brainiacs described it to them and attempted to describe it in terms everyone understands, hence a coding mistake from FastTrak or Morpheus being described as a 'worm'.

    Scenario 2: There is a worm exploiting Morpheus. Fat chance the first we hear of this is from BBC.

    Scenario 3: They discovered that Morpheus uses http over port 1214 as a transport layer and were amazed to find out that some people have shared their entire hard drive. Wanna find everyone that has their entire hard drive shared? Just search for some windows component that shouldn't be shared. Try it, you'll be amazed. Others have covered this in greater detail, including variations that make even more sense.

    Scenario 4: Conspiracy. Also more details in other posts.

    --

    Bleh!