Slashdot Mirror
Security Hole in Morpheus
Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off
some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never
actually seen Morpheus, but apparently a lot of readers have! There
really isn't a lot of information except that if you're running
Morpheus, you might as well consider your hard drive world readable ;)
Means I'll be able to get all those pictures of cum-covered Sarcasta from Taco...
123----20
I claim this fp for all of ac trolls
yawn.
This might mean that people could get to my private, copywritten mp3s against my will.
Slashdot 's editors are dickheads
This is why people should be supporting open-source file sharing systems such as giFT. This could never happen if we could just see the source code and find/fix these bugs.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
for thouse sript kiddies out there that want to exploit, here is how to do it.
i t. htm
http://users.pandora.be/lechat/Morpheus%20Explo
A lazy casual software pirate's best friend (mind the virii of course).
I don't think BBC should take the credit, the crew over at HackCanada had this figured out a for a while =)
www.hackcanada.com
~khemfusion
There were one certain bug that operated on various platforms that allowed anyone on the internet to access not only information on your hard drive, but also place any file they wanted on your hard drive. This bug also allowed them to execute any code on your hard drive.
The bug was called wu-ftpd, and it was packaged with all of your favorite distributions of linux, or unix for that matter.
Something funny... I didn't really see the slashdot crowd raising much of a fuss when that came out.. only seems to be the windows bugs that they are bothered with.
Oh well, looks like some basement hacker will find out about my secret stash of gay pr0n. Oh no! I'll never be able to show my face in public again.
PayPal $$ if you sign up for free offers (eBay, cred cards, e
it just seems to mention morpheous.. what bout fast track and Kaaza which use the same technology.
all the more reason to use GIFT's open network
http://gift.sourceforge.net/
The war with islam is a war on the beast
The war on terror is a war for peace
Since most people that use Morpheus have their harddrives filled to capacity with MP3s and such, and they're already sharing all of that on Moprheus, who cares? :)
Really though, this is pretty sad since the paranoid people who have been saying that P2P software makes you vulnerable are right in this instance.
C'mon Taco, don't tell me you bought all that gay porn :)
Some unscrupulous bastard can download all the pr0n mpegs I have illicitly obtained from other Morpheus users without me having them in my shared directory. Boy, the nerve of some people indeed.
As far as I can see, this article says nothing about accessing any file. It only mentions the ability to access the shared files list. Of course I haven't tried it, so I could be wrong.
If this 'hack' is involving connecting to someone's ip via your web browser on port 1214, this is hardly a hack. It just shows the files listed in their already 'Shared Folder', no more no less.
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
but i'd like to reserve this space for now and I'll come back later with a funny Matrix joke. If you could kindly advance me some karma now, I promise to make the follow-up post by Tuesday.
Thank you.
-- You see, there would be these conclusions that you could jump to
You mean not much of a fuss, aside from the 555 posts attached to Wu-ftpd Remote Root Hole, right?
Just missed submitting the story myself.
This finding would appear to be a new development since The Register's recent report suggesting Morpheus "is free of malicious code."
Caution of another possible security hole in this software was mentioned by
The Tech Report precisely 6 months ago today (give or take a time zone or two).
Looks like this will keep us on our toes for a while.
To-do List: Receive telemarketing call during a tornado warning. Check.
Oh, I see, a security hole in Morpheus.
_________________
EBAY SAFETY TIPZ!
From the article:
Security experts have been investigating this problem since coming across it on Friday.
"We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.
It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."
Uh huh...rather short on details, arent they?
Anyone else getting the feeling that this "story" is in fact disinformation that probably originates with RIAA?
You're using her as bait, Master!
This has been known for at least a month or so now. There is also a problem with kazaa along the same lines.
Perhaps the greater risk is that most file sharing is illegal. I'm not trying to be a jackass here, but that is the reality and probably a bigger threat. Unless you have some seriously good stuff on your hard drive, your songs and videos are less important and less valuable than your freedom if you get busted with illegal MP3's or movies. Plenty of people do it, but that doesn't make it legal.
How to Download YouTube Videos
Since the exploit needs the person to be downloading a file to get in, you can protect yourself by turning off downloads. Do this by going into Tools->options->Traffic and click on Disable sharing of files. This will protect you.
Taken from the Morpheus FAQ at www.musiccity.com/helpfaq.htm
.mp3, .vaw, .mpg, .avi, .mov, .bmp and .jpg. PDF documents (.pdf) and text files (.txt) are also in general safe. You should be cautious of executable files (.exe) and Microsoft Word and Excel documents (.doc and .xls). These files are specified with a icon in the search results on Morpheus.com. back to the top
Q: Can I get viruses using Morpheus?
A: As always when you are downloading or receiving files from the Internet, you must exercise caution. Certain file types may contain viruses or so-called Trojan horses. You should protect yourself by using regularly updated anti-virus software, for example Norton Antivirus (www.norton.com) or McAfee (www.mcafee.com ). Both Norton and McAfee offer free 30-day trial versions that you can download directly from their web sites. Not all file types can contain viruses or Trojans. Music, video, and picture files are generally safe - that includes files with the extensions
Update Feb. 2 2002: The above warning is the least of your worries.
Check out my podcast: DreamStation.cc Video Game Show
Does this mean that I can get sued for supplying pr0n to s'kiddi3s??
What a lack of details in this story! It could have - but I dont suggest it as been - penned by the RIAA.
The quote, "It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous," contributed by some anonymous figure is a buzzword-injected contradiction. A worm is the opposite of an accident. It seems unlikely that would be the sort of comment from an informed source.
This story may turn out to be true, but they could not be any lighter 1) details 2) qualified sources.
nonsig. unsig. desig.
M ultimedia code
O rganized
R ather
P oorly,
H enceforth,
E veryone can
U se your
S hit
If you celebrate Xmas, befriend me (538
It's a good thing I stopped using that. I used it for a few days but then it stated generating kazaa files. Of course we all know the bad thigns about kazaa, so I stopped using it. I still see winmx as the best file sharing program there is. www.winmx.com. Version 3 is going to be absolutely amazing, if it ever comes out.
The GeekNights podcast is going strong. Listen!
Rant time: I submitted this as a Slashdot story, but it was rejected (go figure). I think this hole is far more severe and important than some stupid hole in file-stealing software. I mean, if you're using these shitty spyware-laden piracy tools, you deserve what you fucking get. I'm sorry, but "trading" MP3s IS illegal, regardless of what rhetoric you geeks make up to try and back it up. Consider this Morpheus security hole as karma coming to bite you in the ass.
Whoever these "hackers" didn't fully research before they decided to stroke their own egos and create a scare. I just tested this remotely (yes, on some stranger) and on my own local machine. My findings? You have access to EVERYTHING IN THE FOLDER THEY HAVE SPECIFICALLY SHARED OUT! Yes, you can download through your web browser what you could have downloaded already through Morpheus/Kazaa. Not a worthy exploit in my book, calm down everyone.
I want to see this independantly verified. A short article from one news source that is no more than a bunch of one sentance paragraphs, most of which explain what Morpheus is and some other info about Napster, is not proof.
FWIW, I use Morpheus quite a bit (always using FairTunes if I keep the song), and I haven't had any problems with it, not spyware, not this, not anything; and I will continue to use it until I see confirmation from at least one other source.
On the other hand, who knows? Maybe the "Concerned Party" just happens to be paid by one of the **AA's? Think about it. They tell a news org about this "hole" they've discovered, saying, "It's dangerous! Don't use it!", with no proof that would convince even your slightly above average user. Now, us geek types might not flinch, but a whole lot of others out there might. Oh well, just my 2c US.
the article says that ANY file on the users hard drive can be viewed... this only lets you view the shared files of that person, or so the website you linked to says... hardly an exploit, since all those files are being shared anyways, and are therefore downladable...
now, if the website is wrong, and has a small typo, and you can actually download ANY file from the users computer, well...
morpheus is evil, plain and simple. in fact... ;)
i have compiled a list
1.) it rapes you're windows file system
2.) it is slower than audiogalaxy
3.) it crashes not only itself but also you're ISP
4.) called morpheus...
5.) its bundled with eZulamain, just about the most satanic program ever
If you are the kind that thinks 'Oh shucks, no big deal', think again.
If this is any kind of domain controller, remember that your SAM file can be downloaded, and if your system has microsoft network file sharing open or is running any part of the IIS suite, your as good as hacked. It can be downloaded and brute hacked with L0pht crack.
If you run any of the popular online games such as Quake 3 arena or Return to Castle Wolfenstein, your cd key is stored in plain text. All of a sudden you can't play because it is in use by '3l33t hax0r' 24x7. Other games such as Starcraft and HalfLife keep the key in the registry, which is also accessible. (see above)
Any kind of online login is vulnerable. These h4x0rz can use your sign in to Amazon.com and "One Click" a library to their address with your credit card. Your online porn accounts, your SSH and PGP private key, the list goes on.
And lets not forget those pictures of your wife you took with the new digital camera in your bedroom.
Toodles, who thinks its funny that people feel this is an insignificant security hole, and that the hole in XP was a threat to all mankind.
Toodles D. Clown
This story seems a little short on details, and in Kazaa - which runs on the same proprietary engine and, I assume, would be vulnerable to the same worms as Morpheus (of course, closed source => I don't know) - you can just check the box next to your hard drive and share all of its contents. Are they certain that the people they've found didn't do that? That said, maybe Kazaa can't get the worm, if there is one, but when I turn sharing off, my friend can't get any files from my computer (just checked now, he's on the phone) at all; if you're worried, have a friend query your username and see what they can get.
My inner paranoid, who left the fetal position to read the RIAA thread, thinks this is a music industry plot. I want to say that that is totally preposterous, but after they asked for legislation to make it legal for them to hack our hard drives, I can't totally dispel the suspicion.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
This is simply an example of misinformed or intentionally imflammatory reporting. Indeed, no files are exposed other than those that are intentionally shared; the "scary news" is that these files can be accessed through a web browser as well as through Morpheus. Big deal.
Comment removed based on user account deletion
First their was Back Orifice. It got a lot of press, so a lot people downloaded it to see what it was all about. Stupidly, a lot of them ran the self-installing server, which made no mention of the fact that it was installing itself to run at bootup. So, thousands (if not more) people ended up exposing their machines without even knowing it.
Then there's Windows. People sharing their drives (God knows why you'd share a drive unless you have more than one computer in your house, but who knows), and those people were exposed by Sharesniffer (which seems to have disappeared, otherwise I'd provide a link. It's IP address now resolves to 10.10.10.10).
Okay, so now there's a flaw in Morpheus that isn't published, and you'd probably have to be a programmer to expose it anyway. Big deal.
Just my personal opinion, but this isn't too newsworthy.
NEWSFLASH: Software that uses the Internet is not secure!! Oh my god NO! This can't be happening!
A total BGO - "Blinding Glimpse of the Obvious" I mean come on! The day any file sharing software is secure is not happening any time soon. POST DECENT ARTICLES ON SLASHDOT PLEASE.
This so-called hole only allows access to the folder of files the Morpheus user specifically designated for sharing.
If they're not sharing their "My Documents" folder, hackers can't download the files contained in that folder.
The same goes for a user's Quake 3 directory, Half-Life folder, SAM database, wifey porno pics, etc. If the folders containing these files are not shared through Morpheus, THIS HACK WILL NOT ALLOW ACCESS TO THESE FILES.
Try it on your own machine and you'll see what I mean.
Comment removed based on user account deletion
just HTTP to the person's port 1214 and morpheus (or Kazaa or whatever FastTrack client i suppose) gives you a list of shared files.
THERE IS NO DANGER FROM THIS "EXPLOIT"
i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. you could also add port 139 to scan WFW shares while you are at it. you could create your own FastTrack "supernode" with this method, if you were really inclined.
when i read the story header i thought that it meant that any file on my hard drive was accessible via some nimda/codeRed type exploit. this is not the case.
VERDICT: story not worth posting.
Muerte
"We're not sure what it is that makes some Morpheus members vulnerable to this" Could it be that those users were just stupid enough to tell morpheus to share their entire c: drive? It wouldn't surprise me...
....And do a GOOOD job of it for a change!
M y
O rangutan
R equires
P rodding
H enceforth
E nsuring
U niversal
S laverly
If this post does not make any sense to you, you are not alone!
Only you you were sharing that file with Morpheus in the first place, you fucking moron.
This exploit only shows the files that are already shared. You used to be able to do that from within napster. Now it's a pain in the ass to do it in Morpheus.
As a side note, people on slashdot have been saying for years that ftp(and wu-ftp in particular) is insecure. Also conveniently left out of your post is the fact that wu-ftp isn't installed by default and port 21 is firewalled by default on the most popular distros (infact, some distro don't even have wu-ftp).
An excerpt from this post on Cypriot Hack Portal:
Tell a friend of yours to login to his Kazaa account. Then what you have to do is to open your browser, type the user's IP and attempt a connection to the specific port (http://ip:1214) the program is running its communication capabilities and you simultaneously access his directory of sharing files. In case the user shares a complete hard drive, all data contained on that disk are viewable and downloadable. So with just two clicks of your mice you can invade a computer located anywhere in the world by just grabbing the IP of its administrator...
it's the same identical client, just the name is changed. even the tempfiles are created as kaz**
Spyware > Insecure
or
Insecure > Spyware?!
Beer, now there's a temporary solution -- Homer Jay S.
I'm sorry but this is just totally unsurprising to me, and one of the reasons that I don't install P2P apps.
Palaces, barricades, threats, meet promises
The Man in the Red Hat knelt before me. I became frozen in a rictus of terror as his hat became exactly level with my security camera, blocking my field of vision. I could hear tools being removed from his suitcase, tools that would undoubtedly rend apart my innards and perhaps erase my consciousness.
I had considered relocating myself to another node on the vast Bank of America network, but such a manuever at this time seemed highly dangerous. If indeed the evil minds behind Project Faustus were aware of my presence, then leaving the ATM enclosure would undoubtedly lead straight into their clutches and to my demise! Additionally, any noise on the link to the rest of the network could cause damage or even cause destruction to my consciousness. I was stuck in the enclosure. I had to make my stand from here.
The Man begun his assault by opening the panel that contained all the money. I used the rollers in my enclosure to attempt to flood him with money, upsetting his awkward kneeling position. He swore as he tumbled just slightly backwards, falling neatly into his hat. I could feel his heart racing as he struggled to reach an upward position.
"All right," he said, a bead of sweat beginning to trickle down his forehead. "We do this the hard way." He lunged toward the ATM's power cord, but a few extra volts running through the line discouraged him from unplugging the cord. He cursed again and leaned heavily on the magazine rack, puffing for breath. I was winning.
"Sir, is there a problem? Do you need some help?" It was Steve, the meth addict who worked the early afternoons. He eyed the currency scattered on the floor anxiously.
"No, there's no problem," said the Man in the Red Hat, and I spied a glint of metal rising from inside his sport coat. He produced a small pistol and directed its barrel towards Steve. "See that power cord over there? I want you to pull it out of the wall."
Steve's face was blank. Maybe he was scared; maybe he was stoned. "But-won't that shock me?"
"Yes." The Man pointed the gun at Steve once more, and Steve inched closer and closer to the power cord.
I had no desire to hurt Steve. Although his friend Chopper had once stubbed out a cigarette on top of my enclosure, Steve seemed like a decent, albeit stupid, person. The kind of person that needed to be protected from Project Faustus. I couldn't bring myself to shock him-much. At any rate, the cord was well enough insulated that I wasn't able to stop Steve's jerking form from removing the cord from the wall. He pulled the plug on me.
But I wasn't finished yet. As a matter of convenience, I had enough power in my backup batteries to serve many a Bank of America cardholder, day or night. I blanked out my screen and shutdown everything I could, feverishly hoping to trick the Man in the Red Hat.
Was he deceived by my ruse? His heart seemed to slow to a more normal pace, and he backed away from my enclosure to light a cigarette. Steve shivered in the corner, avoiding the Man's steely gaze.
"What's that, you want something to do?" said the Man to Steve. "Go back to the counter and pretend like nothing happened. Go on, do it." As Dave turned around to head back to the counter, the man fired three silenced shots. SCHUMPF, SCHUMPF, SCHUMPF. Steve's body laid motionless in front of the counter.
The Man in the Red Hat locked the doors and brought down the security gate. He flicked his cigarette at Steve's body, and started towards my enclosure. He was ready to complete his mission.
He gingerly placed the pistol back into his blazer. And when his hand came out, it was holding...an ATM card? I felt him swipe the card and prepared for CONSCIOUSNESS-TRANSFER.
But something very different happened. I was still in the ATM enclosure, to my surprise and confusion. And I knew right away that I was not alone.
I am a sentient ATM.
Remember this feature in Napster? "Show me all shared files for this user".
A hole was found in CmdrTaco. After further investigation it just turned out to be his pie hole.
He was immediately told to keep it shut and never open it again, for the good of humanity.
[Morpheus] We're going to recruit Switch, she may be The One...
[Trinity] But...
[Morpheus] Don't question my judgement.
[Trinity] But the Oracle...
[Morpheus] What about her?
[Trinity] The Oracle told me that I would fall in love with da one...
[Morpheus] And?
[Trinity] And I can assure you that I'm not lesbian! Switch cannot be The One!
[Morpheus] Are you sure?
[Trinity] Dammit, of course I'm sure.
[Morpheus] I can see there's no fooling you, Trinity. We're recruiting Switch because Apoc told me he needs to fuck something soon. All right?
[Trinity] Oh.. OH!
I'm thinking this wouldn't affect you if you have file sharing on morpheus off? A one way street is always safer than a two way...
From http://users.pandora.be/lechat/Morpheus%20Exploit. htm:
4. Exploit
Here are the steps for exploiting this hole:
1. Open M/K.
2. Search for anything you'd like to download.
3. Start downloading it.
4. Open a MS-DOS prompt and type "netstat -n" without the quoting marks. (This
should display all the active connections with IP numbers, not hostnames).
You should get something like 'xxx.xxx.xxx.xxx:1214" in the 'Foreign Address' column.
Where xxx.xxx.xxx.xxx is an IP Address.
5. Open your webbrowser and type in 'http://xxx.xxx.xxx.xxx:1214' and press enter.
6. Voila! You got the list of the shared files from xxx.xxx.xxx.xxx. Now you can download
any file you want, however if the user is full (meaning that he's got no more slots left)
you wont be able to download anything.
Err... isn't the same as Right Mouse Button -> Find from the same -> User built into Morpheous?
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
I guess Agent Smith's job just got a lot easier.
Wow...a file sharing client has an HTTP server on a non-standard port. I hope for the slashdot editors sake that they don't perform in bed like they perform at their jobs. "No no don't go baby I'm sorry. Let's try again this time I'll hold it in."
I'm a loner Dottie, a Rebel.
He will be missed
Show me That Smile (The Growing Pains Theme Song):
Show me that smile again.
Ooh show me that smile.
Don't waste another minute on your crying.
We're nowhere near the end.
We're nowhere near.
The best is ready to begin.
As long as we got each other
We got the world
Sitting right in our hands.
Baby rain or shine;
All the time.
We got each other
Sharing the laughter and love.
Alan Thicke's Journal
My Slashdot ads say "
If the security analysts that contacted the BBC are referring to this problem. There isn't much to look at. Being a .com with little money they needed a protocol to exchange files with and they chose some form of http.
If you are running morpheus or kazaa or whatever client of the fasttrack network you can try this: open up your browser and type "http://localhost:1214"
you will see an index of all the files you are currently sharing. Just for fun you can also try to download files. If you know of a friend who is running kazaa or morpheus, find his ip and place in the place of localhost. See if he has any good pr0n.
I seriously doubt this constitutes a breach of security it doesn't reveal any information that isn't available already.
that's it. move along.
-- Heisenberg could have been here...
My 26400 dial up speed and complete lack of important files or respect for my computer means that the morpeous bug isn't bothering me. I can't even download it in a respectable time. But my dial up connection and craptacular machine does bother me. Oh, I hate my life .
So point to one law or case that says that sharing MP3 is illegal. To date there is NOT ONE DECISION or LAW that says that it is. Sharing copyrighted files may immoral, but not Illegal.
MP3 is a file format, it can be used for good or evil, just like everything else in the world. You need water for life, but I can turn it into a delicious water torture if I so desire. Does that make water illegal?
Anyone that accesses any network (including dial-up) with an entire hard-drive shared is asking for trouble.
...goatse.cx! The gaping anus is so scary that not even a lowly virus will go through it.
- The BOFH Troll
World forum scientists: Grim future
'Climate change will become a security issue'
NEW YORK (Reuters) -- Scientists at this week's World Economic Forum have predicted a grim future replete with unprecedented biological threats, global warming and the possible takeover of humans by robots.
"Extreme pessimism seems to me to be the only rational stance," said Sir Martin Rees, Britain's Astronomer Royal, at a session devoted to the future threats and opportunities presented by scientific advances.
He was especially concerned about the development of new biological weapons that could easily fall into the hands of dissonant groups or individuals and cause widespread devastation.
Even if governments tried to regulate and limit the spread of dangerous technologies, Rees said such efforts would probably be little better than current attempts to control the international drugs trade.
A foretaste of what might lie ahead was provided by the anthrax panic that gripped the United States last year after several letters carrying the deadly germ agent were sent to political leaders and media figures through the mail. The perpetrator has not been found.
The forum, which brings together politicians, business leaders, academics and intellectuals, has presented a number of sessions devoted to science. However, few politicians have attended them, preferring to devote themselves to discussions of foreign policy.
At a session on climate change on Thursday, Robert Watson who chairs an international panel on the issue said the earth's climate would warm by at least 1.4 degrees centigrade in the next century even if urgent action was taken right now to stem emissions of carbon dioxide. If insufficient action was taken, warming could be as great as 5.8 degrees.
He predicted more droughts in some areas and floods in others, more intense cyclones and massive social and economic disruption especially in poor countries.
Climate change a security issue?
Peter Wadhams of Cambridge University in England said that while rich nations could and would protect themselves against flooding by building sea defenses, a nation like Bangladesh could expect ever more frequent and severe flood disasters.
Howard Ris, President of the Union of Concerned Scientists, said climate change could well lead to future conflict as nations found themselves confronted with unmanageable new challenges.
"Climate change will become a security issue," he said. "Hundreds of millions of people will find themselves fighting new threats to survival."
Another threat posed by science revolves around the development of artificial intelligence which could eventually blur the distinction between humans and robots.
Rodney Brooks of the Massachusetts Institute of Technology said: "It is not too far-fetched to see a situation where we put implants into our brains before too long."
Brooks said humans would become more like robots as they implanted more and more technology into their bodies, while robots would be based on biological material and become semi-human in their own right.
Robots were already taking a greater role in warfare and might soon be capable of making their own battlefield decisions without human control, he said.
- The BOFH Troll
And I wondered why my antivirus program said a few weeks ago that Morpheus.exe was a suspicious file...
It WAS on the 'freakin paranoid' setting..
- This isn't the sig you're looking for. Move along, move along..
I'm a little curious tho. Supposedly the fasttrack network is encrypted, so does this mean that the IP address is able to be reached? I have never seen any papers on what encryption the network uses, but I just wanna be sure that the IP's are obfuscated.
13 year old white supremacists are shitty web designers.
Because a lot of people play video games and download music from their DOMAIN CONTROLLER. I don't think so. If someone is doing this, they probably haven't applied a patch in years and I can into their machine using any documented security hole.
"Da ist ein Technölüst in mein Unterpanten!"
It's called "being an friggin idiot and setting the server root to /". However, just like Morpheus and Kazaa, it only takes place under special conditions, notably when "Directory Browsing" is turned on in Apache, called "Virtual Directory Browsing" in IIS.
This bug, previously encountered before, is casually referred to as the "idiot-moron exploit." Tell me you've never seen .doc files shared on WinMX, et al before. Of course for Apache, IIS, etc, your file permissions have to be set correctly... However, Kazaa runs as the current user, so it only has access to whatever the current user does.... SHARING EXPLICITLY WHAT IS IN THAT DIRECTORY! So, say, for example, I "accidentally" place naked_picture_of_my_cute_girlfriend.jpeg in "My Shared Folder".... It's not a freakin' bug if someone has access to that!
Kazaa has always used HTTP as its protocol, and this "interface", should you call it, it probably what it uses to get that respective user's database of files. Duh. Click on them, and look at all their files in Kazaa, or use a web browser. Hardly a difference. Unless of course the docroot is C:\. But then again, is that an exploit??? This is ridiculous. Please Slashdot, check the validity of the articles before posting!! :)
Kazza used to have a web interface, you search via their webpage, and your browser downloads from the member whose file you select..this isnt a bug, its a feature..why dont you think BEFORE you speak..
E
Sure, all /. readers already knew that you can just http into port 1214 to see your shares while running morpheous. But 95% of the people using it probably don't know this. The RIAA probably set some BBC reports on the trail knowing that our press would catch on and create a large scare. After all the two biggest ways to scare the American public is to tell them that their health is in danger or that their privacy is gone.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
Fuck off, troll. Your mental processes must be on par with those of the average piece of cow dung. It pains me to think that, by the mere act of typing, I am crushing millions upon millions of amoebae and bacteria living on my keyboard with more intellectual capacity and evolutionary potential than you.
The Win XP bug allowed anyone to totally control your machine remotely. This ISN'T EVEN A BUG -- it's exactly what the software purports to do: share a selection of your files, that you specify, with the world. The method used to do this is HTTP.
Want to see it yourself? Start Morpheus, open a browser, and enter the URL:
http://your-ip-addr:1214
You'll see the list of files you set up Morpheus to share. Bottom line: This thread is totally and completely bogus, there is no bug and no exploit.
The only security hole is the hole in the brain of the person who created the article :-)
Is it just me or have the quality of slashdot stories lately been pretty crappy? From fakes like this one, to double-posts, to the typical "Look at this new program that's been around for 5 years". Slashdot needs a system to administer the admins before they go too far.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I've known about this so-called exploit for months. I often use it to quickly check to see if a specific user has any files shared, and what files they are. Basically, its the same as a Bearshare or Limeware HTTP server listing shared files and providing links to donwload.
This comes from the fact that the FastTrack protocol transfers and requests files via the HTTP protocol, thus any HTTP speaking application (such as a web browser) should be able to do the same as a Morpheus client, which is really only a fancy web browser.
In fact, the OpenFTP has a program which does in fact scan IP address ranges from the 1214 port number, indexes the files, and then provides these for searching on the OpenFT network. They even have a memory-dump function which dumps the entire memory block of the Linux KazAa client kza (no longer available), and searches for IP addresses to index.
I would question the so-called 'group' the BBC contacted. It's either an ultra-liberal doomsday security group like that of Steve Gibson or is a very good (?) attempt by the RIAA to scare people off the FT network, which now has peaked at over 700,000 connected nodes.
But as for a security threat, there is no concern. The only files accessible on the internal web server are those which have been specifically selected to be shared, and a dynamic wwwroot is then generated based on selected directories (usually just My Shared Files).
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
Phew... Im glad I got the patch. I also upgraded my built in Windows XP firewall, that helps the evil hackers stay out of my emails. Plus I up graded my CPU from a 333 to a 900!!!! So that should keep me safe from all the evil hackers.
z ap atch.exe
Anyways heres that patch.
http://www.slashdot.com/Gullible-Fools/WinXPKaz
Also one more thing; did you know if you look the word 'Gullible' up in the dictionary it's not there?!
Does ANAL COX use Morpheus? Does he use it to distribute his ANAL COX to the world??? I don't want to catch AIDS~1.STD.VBS that way!!
"Save me jebus!" - Homer Simpson (btw, I'm probably talkin out of me arse)
...may not make a difference with this hack.
Since the "hack" apparently allows downloads via HTTP, my guess is that Morpheus's built-in queue for those downloading from you will no effect... thus if you find yourself trying to download a file but are stuck in someone's queue, this might be a way to get around that and begin the download immediately.
If you're behind a NAT firewall you're probably protected because a direct HTTP connection is required.
I haven't verified anything yet, but initial observation supports my theory... now back to testing.
*sigh*
If you are tired of bitching and want to do something about it then get invovlved.
Cheers...
$HOME is where the
-- silver_p
(n/t)
how about:
M y
O strich
R equires
P robing
H enceforth
E nsuring
U ranus'
S anctity
Makes more sense, methinks.
Does anyone here know how to use FELCHMALE? I can't get it to work, it doesn't like my POP server!! Maybe ANAL COX knows how? He wrote it, didn't he?
& #8353;ff ;ͭ 6;W 19;̣ 9;Ј ;f 6;Gaping hole in goatse.cx!
I agree..
1- its freeware
2- EVERYONE should know by now it has "spyware" installed
3- its a napster wannabe
4- its called morpheus (what a lame ripoff name is that)
i mean come on ppl.. just what do you expect? now if they released a the source code or something "community friendly" then well...
The More Knowledge you have the Luckier you Get- J.R. Ewing
Take off your tinfoil hat you bloody wanker (hey its the bbc) and think about this. The RIAA is running fake news stories about morpheus have security problems? Isn't that sort of um illegal? In fact its called slander.
Only the State obtains its revenue by coercion. - Murray Rothbard
That is one of the greatest first posts ever. It is a shame that it was not posted by a true Slashdot user.
Custer's Revenge: The greatest video
It doesn't even seem like a huge security risk at all, It just allows users to download files using a web browser as opposed to using the Morpheus/Kazaa interface. I seem to recall that Bearshare's documentation had a section listed in which it explained how to do this, that Bearshare had a "personal web server" options that allowed people to download from your computer, regargless of their client. Also, by the looks of it, Kazaa is mostly based on Internet Explorer. Not to mention the fact that's a really crappy interface.
The newer verions come as a self-exe zipfile, and inside is just the executable. It never installs anything. Now, granted, it does have ads all over the place, but when you delete the execuable, even if there WAS spyware (which nobody's ever proven), it would be erased.
Agreed that Morpheus is in the league of LimeWire/Sharebear (Gnutella), Morpheus is a spyware, Wintel musiccity.com POS!!!!!
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
Wrong-o, buster!
A worm is a kind of bug, unless I am mistaken.;)
IF this IS actually true... I use VMWare so Morpheus is running in a "contained" environment..:-D
And since morpheus is based off of FastTrack P2P.. then most likely KaZaa and Grokster have the same "supposed" exploit.
Morpheus does not have spyware installed.
..if you follow the belgium instructions - you bascially do the same as right-clicking on a user - but now directly through the http interface (which is used at the back).
What you see is the list of files/dirs which the user specifically asked to be shared to the world at large through the application.
So unless there is something not said in the pandora article - what is described is exactly what those P2P apps are designed to do. Share what is designated shared... it just shows you things little closer to the metal .
Dw
a worm that infects any user connected through the kazaa/morpheus/grokster network.
I also think musiccity might have a problem fixing this problem, because it's just licensed code from kazaa, and the original programmers are going to be a little hard to find.....
Time to look for a new music alternative:
http://www.filenavigator.com
http://www.limewire.com
http://www.bearshare.com
I agree. This thread is stupid and retarded. Now if it turned on your Guest account or enabled you to see the WHOLE drive and not just the shit YOU ALREADY DECIDED TO SHARE, this might be a fuckin news story.
... you have filenames present that contain high ASCII characters. I have personally observed this on many occasions, just by way of using the old Kazaa websearch to locate files on shared drives. Go to the host IP address to see what else was available from that host, and sometimes not only the MP3s offered, but also every single file on the HD was visible and readable.
The common factor observed in ALL cases was ANY file present with high ASCII in the filename. (I'd guess mostly or entirely on Win32 systems using an Oriental character set, judging by the MP3s present.)
Note: I do not have Kazaa installed myself, nor any of its kin. I was viewing these unexpectedly available files with plain old Netscape 3.
There were complaints about similar events on the Kazaa "report bugs" forum. (After reading that forum for a while, no way in hell would I install the Kazaa client -- since it also had a habit of randomly wiping out files on some systems.)
Anyway, it wouldn't surprise me at all if Morpheus has a similar bug.
~REZ~ #43301. Who'd fake being me anyway?
I realize this is the same thing that everyone else is saying, but it's just HTTP (a protocal ...) on a different port. Woop-dee-doo. Have any of you watched Morpheus traffic on a firewall, though? It's rather amusing how close they got to being completely oblivious to a casual sys admin like myself. The client appears to change mp3 file names to .jpg, and send them as http requests on a different port. If they had put it on port 80 I probably wouldn't have caught it 'back in the day'.
... but I've been known to pull that much webdata from a website before. And if you really want to get hardcore (for the hardcore content checking firewalls) you could change the header information in the files so that they appeared as jpgs, or html files. Super shneeky.
If you really want to make a 'hidden service', you'd make the client break the files up into smaller packages (much like warez RARs), name them random files from the Internet Cache folder, send them on port 80, include a file that tells the receiving end how to put them back together, and you'd be set. It would just look like someone was browsing the Internet. It would be four megabytes worth of webdata
~LoudMusic
No sig for you. YOU GET NO SIG!
Wow it looks like those crackers cited by BBC are really top notch! They've certainly got people-management skillz like Mitnik, if my reading of the BBC article has anything to say..
It should be obvious to anybody reading this thing that the "random list of shared personal filez" and such is a big user booboo. Obviously some people are st00p1d enough to leave personal details n docs in a shared folder..
How much did the RIAA pay to get this posted?
I once encountered a pc on a net. neighborhood that had its entire harddrive shared. I looked around, but there wasn't anything interesting.
Most people have boring computers.
I saw this coming. I'll still just poke
around the internet, looking for requested or
new mp3z
Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have!
- CmdrTaco Now I finally understand. Taco has never seen Morpheus? How can you run a site like this seemingly be disconnected from the main issues and problems that the bulk of the readers deal with on a daily basis? Maybe he's never seen it because he doesn't run Windows and there isn't a Linux version. Fine, Linux is a great operating system, oh yes. But the fact that so many people use Windows to do their work, play and whatever else everyday, and somehow manage to survive and even *gasp* be productive most of the time.
This is an important issue.
I read this site everyday, I don't know where I'd go or what I'd do if I didn't have my slashdot. But there has to be a little bit of understanding reached between the editiors of this site and their readers that not all nerds are anti-Microsoft OS users, because there is just the simple fact that they need to use the programs that most other people are using, they need to be able to access every website on the Internet, and they like to play games that just are plain not put out on Linux. (and not have the time Mac either)
So let's have a summary. Yes Rob, people use Morpheus. In fact, a lot of people. This story has significance. Please try to be more connected to the community that you are serving on a daily basis, and don't be surprised when you get a "bunch of sumissions" about issues that will effect a large number of us.
Contrary to popular belief, I don't actually make my website for other people to look at.
A worm???
Like Code Red? Or NIMDA?
This sounds like some crack addled reporters posing as computer hackers.
Scenario 1: There is a hole and it will be confirmed through trustworthy channels. It is a buffer overflow or http path traversal problem. The reporters or editors got confused when the brainiacs described it to them and attempted to describe it in terms everyone understands, hence a coding mistake from FastTrak or Morpheus being described as a 'worm'.
Scenario 2: There is a worm exploiting Morpheus. Fat chance the first we hear of this is from BBC.
Scenario 3: They discovered that Morpheus uses http over port 1214 as a transport layer and were amazed to find out that some people have shared their entire hard drive. Wanna find everyone that has their entire hard drive shared? Just search for some windows component that shouldn't be shared. Try it, you'll be amazed. Others have covered this in greater detail, including variations that make even more sense.
Scenario 4: Conspiracy. Also more details in other posts.
Bleh!
"The bug was called wu-ftpd, and it was packaged with all of your favorite distributions of linux, or unix for that matter."
Except for Slackware. Another good move, Pat!
XML is like violence. If it doesn't solve the problem, use more.
so then this can act as a free/beer webserver for windows users..just share html files.
:1214 to the address, but it still works.
a little inconvenient to add
i wonder if this is a breach of contract for comcast subscribers...
Yes, there is a vulnerability in Morpheus. I am not going to give it away until it is patched, but I will say a few things. Yes it does involve port 1214. Yes you can access files that are not shared. No it is not easy to do. You need to know what file you want to download (however you can't get a directory listing outside of the share). There is a little bit of brute force needed to access the file. Would I worry about it? No.
I wish to register my disappointment with the BBC for running unsubstantiated claims about a vaguely defined security risk associated with using the file-sharing application Morpheus. Does the BBC make a habit of publicising the claims of "security experts" who take it upon themselves to contact you without actually investigating whether those claims have any merit, particularly when those "security experts" refuse to be identified? I would like to believe that is not the case, but this article indicates you have lowered your journalistic standards in pursuit of sensationalism.
A responsible piece of reportage would have pointed out that numerous such claims have been made in the past and all have proven unfounded. It would have specified whether, indeed, the entire contents of a user's hard drive was at risk for exposure, or whether (as in past incidences of these type of claims) all that is being "exposed" are the files the user has already designated as shared. Some people seem to think that it constitutes a "security risk" if they are able to find an alternate means of accessing the files a user is sharing. This is merely being clever. Your article gives your readers no way of making an informed decision about whether this is another such false alarm, because it is woefully short on information. It should have, at the very least, provided some reasonable explanation of how you estimated of the number of Morpheus users who are at risk of this "exposure." At one point, your article claims "up to two million" people are exposed. Morpheus has been downloaded by tens of millions of people. Your opening paragraph ("...allows anyone to gain private information about its millions of users.") suggest all Morpheus users are exposed. Which is it? You quote an unnamed "security expert" claiming this problem could "potentially" make every users' computer vulnerable to exposure. Then where did the estimate of two million users come from?
Beyond the confusing and irresponsible allegations you blithely repeat, you get the major details of what is widely known to be factual incorrect, which calls into question the validity of the entire article. "Morpheus is at present legal because there is no server storing the digital files." No, Morpheus is legal in the U.S.A. because the lawsuit challenging its legality has not yet been heard in the courts. The fact that there is no server storing the digital files is immaterial. Napster did not have a server storing the files, it had servers that indexed the files that users stored on their computers. Morpheus's servers have no such index, but they do have an index of users who are logged into the network. Whether the courts will see this as a key difference between the two services is an open question.
Furthermore, "music fans swapping MP3 files are put in direct contact with each other." Nonsense. They contact each other over the network, just like with Napster, just like with the Internet. How can I be said to be in "direct contact" with the BBC if this email to you will bounce half-way around the globe in bits and pieces until it reaches your email server? There is no difference between a Morpheus user's contact with another Morpheus user and my contact with the BBC.
Lastly, RIAA is "reportedly looking at ways it can tackle these new methods of file-sharing." Yes, it's called a lawsuit, a fact that your article makes no mention of. If you were trying to allude to other ways RIAA "reportedly" might be tackling peer-to-peer networks, why not specify them? Frankly, this leads me to wonder if the unsubstantiated allegations made in your article is, in fact, one of the ways RIAA might be attempting to tackle Morpheus. I'm disappointed in the BBC for seeming to participate in their efforts in such an irresponsible manner.
Yours,
Michael Moore
New York, NY USA
mcubed@mindspring.com
--------
"No live organism can continue for long to exist sanely under conditions of absolute reality;..."
man and goat
enough said.
look somewhere else for a sig... *** ** *
Big whoop, with Direct Connect any user can not only download, but can also RUN any file on any users hard drive.
It is a huge security hole. (Direct Connect has next to no authentication of, uh, anything)
Only think is that only one user has the utility that is able to do this and he is not giving it out to anybody else.
Suffice to say though everybody is scared shitless of him. When he walks into a HUB everybody else zips up and doesn't say a word.
Need help treating your acne? Come here!
try typing netstat after a few hours of morpheus use.. i listed over 100 connections and lets say i got a tad worried till I realised what the port was.
There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)
If you're on the Internet, even if you have a strong firewall and only use software that doesn't feature spyware, you should always consider your hard drive world readable.
This is the Internet and there's no way of ever being 100% secure.
Of course everyone has a certain level of security for his files now with well-developed Internet security software, but a fact is, that you shouldn't keep files on your disk that shouldn't be seen by others... or you should at least encrypt them (would render the Morpheus hole useless, too).
Two Worlds - One Sun [Spirit]
For more info on exactly what is going on, see these following links:
http://www.securityfocus.org/archive/1/211663
scott
Search for pwl in morpheus.
It's... interesting
No security through obscurity: my password is goatse. Stop me before I troll again.
Does this include sending reports of security holes to high-profile news sites?
not_cub
q='echo "q=$s$q$s;s=$b$s;b=$b$b;$q"';s=\';b=\\;echo "q=$s$q$s;s=$b$s;b=$b$b;$q"
Given the fact that itäs open source, once it's working fine how hard do you think it will be to make it work under Windows or any other OS?..
;-)
$HOME is where the
-- silver_p
This security 'hole' has been exploited since the middle of last year by the Free Software giFT project.
Although the project's primary goal is to provide a Free alternative to the FastTrack network, giFT includes a tool that scans arbitrary IP address ranges on port 1214 and indexes the results, offering the discovered files through either an http or Gtk+ interface. It's a waste of bandwidth, but some would argue that it gets the work done.
I hope people support giFT in creating a secure, Free Sofware alternative to FastTrack. All these stories of spyware and root holes (even if unsubstantiated) are quite disturbing.
This is all we need now, a little bit of a scare and suddenly everybody stops sharing with other users. It's already become a bigger problem on the FT network, more and more people aren't sharing.
;)
The whole system starts breaking down when you stop sharing people!
It's not much to ask, if you take, be willing to give back. Fine, maybe you have a half-duplex modem that slows to nothing if you do both, at least share during the night or while you're at work. Otherwise, at least one upload spot doesn't hurt anything.
Hmm... that came out a bit more idealistic than I'd hoped. Well, I'm just irate because no one shares their god-damned Reboot episode 314
I am BelDion's
Go to morpheus (or kazaa), go to search, type in boot.ini right click one of the files that shows up, choose more from the same user. See hardrive content appear.
Go to morpheus (or kazaa), go to search, type in boot.ini right click one of the files that shows up, choose more from the same user. See hardrive content appear...
http://pc_with_gnutella:6346 and you get the a page back with links to all the *shared* files.
how is this a exploit in any way?
you can only see shared files. you can do exactly the same thing in morpheus. go to actions, find more from the same, and then select user and you get the same list. its also easier to do this in morpheus rather than go to the trouble of bringing up command prompt and netstat.
if this is an exploit than so is being able to "view source" on a web page.
What's the least it could do, use up some extra bandwidth?
I've been doing this for months, it's an easy way to get/find the music you like, and it's a lot faster. No files on que, and you're less likely to get an incomplete download.
If people think this is a big issue, then they should get rid of their music sharing applications and next time be more knowledgeable about what they're getting into.
So, someone says the BBC says that someone claims that...what, that some Morpheus users have file sharing open to the Net?
Oh man, this means I can go download 1000 copies of GIRLS GONE WILD I am OUTTA here!
I totally agree. I believe what this extremely poorly written article is referring to is p2p users who don't know what they're doing and actually select to share out their entire drives. mIncredibly bad 'news' article from the BBC.
Ya Sure! You Betcha!, The_THOMAS
hey genius I suggest that you learn a bit more about your computer. In case you are wondering, the BBC article should clear up any lingering trust you may have had in CmdrTaco's judgement. The 'hole' in Morpheus generates 'random lists of persons sharing personal files' and is obviously being erroneously trumpeted as a hole by MPAA and RIAA flacks.
I pity you, because the inference that a sysadmin would deliberately share his entire %system_root% is a sad reflection on your own security outlook.
Moderate me for flamebait but you need your bottom smacked for posting without doing ANY research WHATSOEVER.
Yeah - and how exactly are you gonna communicate to anyone without knowing their IP? What does encryption have to do with it?
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I've got Morpheus running on a machine with a web server - how do I make this work?
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
This will only work on people who were dumb enough to share the entire C:\ drive. Works with autoexec.bat too....
Omnia vestra castrorum habetur nobis.
Reading between the lines of the BBC article, it appears that the new exploit IS NOT the ability to connect to the port using a web browser. It's the generation of a random list of users, on who the port exploit can be used that they are talking about. Simply go the the search page, enter no information and click search, a random list of files and users is generated, that appears to be it! Wow! Yes some people may be stupid enough to share c:\ but then again, windows 95 (or was it 98?) by default bound windows file sharing to dialup connections! Even worse, if someone is stupid enough to, even on the secure windows XP, they can do they same thing, if they don't know what they are doing! much much worse than the "exploit" they are talking about here.
Morpheus is a great file sharing program, but when security issues as big as this one come up, it makes me think twice about what kind of information I put into the computer. As long as they fix this problem soon, I will continue to be a member of this great file sharing program.
It sems to me that the article and all of the post simply discuss the ability to view someone's shared files, with the difference that the BBC article alludes to getting a random list of users.
OH NO!!! People can view my shared files. AAAHHHH!!
On a more serious note, I found a bug in an earlier version of Morpheus (I don't know if it still exists in 1.3). What happened was I specified that my shared folder would be C:\windows\media and all sub folders. I specified that my downloads should go to F:\. I noticed that I had far more files shared then I expected. What I found was that by specifying F:\ as my download location, F:\ and all subfolders, and all files in the subfolders, were shared. Even though in the fodler picker, F:\etc... was specifically NOT shared. I reported this bug at the time, and haven't checked since to see of it still exists. I make a point of creating a new folder for downloads, and therefore, with nothing under it, there is nothing for it to share. Come to think of it though, I have noticed that stuff I've just downloaded is often shown as immediately being uploaded, so I guess it still shares the downloads folder.
Watch out for this.
There is not a security hole in Morpheus. Nothing like false advertising something.