Slashdot Mirror
Security Hole in Morpheus
Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off
some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never
actually seen Morpheus, but apparently a lot of readers have! There
really isn't a lot of information except that if you're running
Morpheus, you might as well consider your hard drive world readable ;)
This might mean that people could get to my private, copywritten mp3s against my will.
Slashdot 's editors are dickheads
it just seems to mention morpheous.. what bout fast track and Kaaza which use the same technology.
all the more reason to use GIFT's open network
http://gift.sourceforge.net/
The war with islam is a war on the beast
The war on terror is a war for peace
You mean not much of a fuss, aside from the 555 posts attached to Wu-ftpd Remote Root Hole, right?
From the article:
Security experts have been investigating this problem since coming across it on Friday.
"We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.
It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."
Uh huh...rather short on details, arent they?
Anyone else getting the feeling that this "story" is in fact disinformation that probably originates with RIAA?
You're using her as bait, Master!
Perhaps the greater risk is that most file sharing is illegal. I'm not trying to be a jackass here, but that is the reality and probably a bigger threat. Unless you have some seriously good stuff on your hard drive, your songs and videos are less important and less valuable than your freedom if you get busted with illegal MP3's or movies. Plenty of people do it, but that doesn't make it legal.
How to Download YouTube Videos
Since the exploit needs the person to be downloading a file to get in, you can protect yourself by turning off downloads. Do this by going into Tools->options->Traffic and click on Disable sharing of files. This will protect you.
What a lack of details in this story! It could have - but I dont suggest it as been - penned by the RIAA.
The quote, "It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous," contributed by some anonymous figure is a buzzword-injected contradiction. A worm is the opposite of an accident. It seems unlikely that would be the sort of comment from an informed source.
This story may turn out to be true, but they could not be any lighter 1) details 2) qualified sources.
nonsig. unsig. desig.
M ultimedia code
O rganized
R ather
P oorly,
H enceforth,
E veryone can
U se your
S hit
If you celebrate Xmas, befriend me (538
Whoever these "hackers" didn't fully research before they decided to stroke their own egos and create a scare. I just tested this remotely (yes, on some stranger) and on my own local machine. My findings? You have access to EVERYTHING IN THE FOLDER THEY HAVE SPECIFICALLY SHARED OUT! Yes, you can download through your web browser what you could have downloaded already through Morpheus/Kazaa. Not a worthy exploit in my book, calm down everyone.
I want to see this independantly verified. A short article from one news source that is no more than a bunch of one sentance paragraphs, most of which explain what Morpheus is and some other info about Napster, is not proof.
FWIW, I use Morpheus quite a bit (always using FairTunes if I keep the song), and I haven't had any problems with it, not spyware, not this, not anything; and I will continue to use it until I see confirmation from at least one other source.
On the other hand, who knows? Maybe the "Concerned Party" just happens to be paid by one of the **AA's? Think about it. They tell a news org about this "hole" they've discovered, saying, "It's dangerous! Don't use it!", with no proof that would convince even your slightly above average user. Now, us geek types might not flinch, but a whole lot of others out there might. Oh well, just my 2c US.
That page doesn't describe the hack -- You can only access files the user has chosen to make available with it.
rOD.
Rod Begbie done this, and he's not
This story seems a little short on details, and in Kazaa - which runs on the same proprietary engine and, I assume, would be vulnerable to the same worms as Morpheus (of course, closed source => I don't know) - you can just check the box next to your hard drive and share all of its contents. Are they certain that the people they've found didn't do that? That said, maybe Kazaa can't get the worm, if there is one, but when I turn sharing off, my friend can't get any files from my computer (just checked now, he's on the phone) at all; if you're worried, have a friend query your username and see what they can get.
My inner paranoid, who left the fetal position to read the RIAA thread, thinks this is a music industry plot. I want to say that that is totally preposterous, but after they asked for legislation to make it legal for them to hack our hard drives, I can't totally dispel the suspicion.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Comment removed based on user account deletion
First their was Back Orifice. It got a lot of press, so a lot people downloaded it to see what it was all about. Stupidly, a lot of them ran the self-installing server, which made no mention of the fact that it was installing itself to run at bootup. So, thousands (if not more) people ended up exposing their machines without even knowing it.
Then there's Windows. People sharing their drives (God knows why you'd share a drive unless you have more than one computer in your house, but who knows), and those people were exposed by Sharesniffer (which seems to have disappeared, otherwise I'd provide a link. It's IP address now resolves to 10.10.10.10).
Okay, so now there's a flaw in Morpheus that isn't published, and you'd probably have to be a programmer to expose it anyway. Big deal.
Just my personal opinion, but this isn't too newsworthy.
just HTTP to the person's port 1214 and morpheus (or Kazaa or whatever FastTrack client i suppose) gives you a list of shared files.
THERE IS NO DANGER FROM THIS "EXPLOIT"
i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. you could also add port 139 to scan WFW shares while you are at it. you could create your own FastTrack "supernode" with this method, if you were really inclined.
when i read the story header i thought that it meant that any file on my hard drive was accessible via some nimda/codeRed type exploit. this is not the case.
VERDICT: story not worth posting.
Muerte
"We're not sure what it is that makes some Morpheus members vulnerable to this" Could it be that those users were just stupid enough to tell morpheus to share their entire c: drive? It wouldn't surprise me...
Here's the details on what exactly the vulnerability is
Basically, the assertion that one could gain access to the whole hard drive is false. Looks like a FUD attack on file sharing to me.
I tried that against a machine running Morpheus, and the only files that were listed were files in directories that I had told Morpheus to share. IOW, the only files made available via HTTP are the same files made available via FastTrack's protocol. Would someone like to explain to me how this constitutes a security hole? IIRC, this feature of Morpheus is documented (don't recall if it can be switched off).
FWIW, the machine running Morpheus is behind a firewall...HTTP access to it gets blocked anyway. (The little bit of testing I did was from another machine on the LAN.)
20 January 2017: the End of an Error.
it's the same identical client, just the name is changed. even the tempfiles are created as kaz**
I guess Agent Smith's job just got a lot easier.
It's called "being an friggin idiot and setting the server root to /". However, just like Morpheus and Kazaa, it only takes place under special conditions, notably when "Directory Browsing" is turned on in Apache, called "Virtual Directory Browsing" in IIS.
This bug, previously encountered before, is casually referred to as the "idiot-moron exploit." Tell me you've never seen .doc files shared on WinMX, et al before. Of course for Apache, IIS, etc, your file permissions have to be set correctly... However, Kazaa runs as the current user, so it only has access to whatever the current user does.... SHARING EXPLICITLY WHAT IS IN THAT DIRECTORY! So, say, for example, I "accidentally" place naked_picture_of_my_cute_girlfriend.jpeg in "My Shared Folder".... It's not a freakin' bug if someone has access to that!
Kazaa has always used HTTP as its protocol, and this "interface", should you call it, it probably what it uses to get that respective user's database of files. Duh. Click on them, and look at all their files in Kazaa, or use a web browser. Hardly a difference. Unless of course the docroot is C:\. But then again, is that an exploit??? This is ridiculous. Please Slashdot, check the validity of the articles before posting!! :)
I wish I hadn't.
My only political goal is to see to it that no political party achieves its goals.
The only security hole is the hole in the brain of the person who created the article :-)
Um where have you been? The giFT project is now developing an OpenFT network which is similiar to fasttrack, but fully open source. So soon they'll have their own network.
I've known about this so-called exploit for months. I often use it to quickly check to see if a specific user has any files shared, and what files they are. Basically, its the same as a Bearshare or Limeware HTTP server listing shared files and providing links to donwload.
This comes from the fact that the FastTrack protocol transfers and requests files via the HTTP protocol, thus any HTTP speaking application (such as a web browser) should be able to do the same as a Morpheus client, which is really only a fancy web browser.
In fact, the OpenFTP has a program which does in fact scan IP address ranges from the 1214 port number, indexes the files, and then provides these for searching on the OpenFT network. They even have a memory-dump function which dumps the entire memory block of the Linux KazAa client kza (no longer available), and searches for IP addresses to index.
I would question the so-called 'group' the BBC contacted. It's either an ultra-liberal doomsday security group like that of Steve Gibson or is a very good (?) attempt by the RIAA to scare people off the FT network, which now has peaked at over 700,000 connected nodes.
But as for a security threat, there is no concern. The only files accessible on the internal web server are those which have been specifically selected to be shared, and a dynamic wwwroot is then generated based on selected directories (usually just My Shared Files).
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
Not trying to troll here but man (or women) if you don't like the quality then leave. That is the joy of living in world were you can make decisions. If you do decide to say though then don't complain about it because that just seems counterproductive no don't it
man
No manual entry for
...may not make a difference with this hack.
Since the "hack" apparently allows downloads via HTTP, my guess is that Morpheus's built-in queue for those downloading from you will no effect... thus if you find yourself trying to download a file but are stuck in someone's queue, this might be a way to get around that and begin the download immediately.
If you're behind a NAT firewall you're probably protected because a direct HTTP connection is required.
I haven't verified anything yet, but initial observation supports my theory... now back to testing.
*sigh*
If you are tired of bitching and want to do something about it then get invovlved.
Cheers...
$HOME is where the
-- silver_p
That is the lamest "exploit" I've ever seen. It's not even an exploit at all.
Here's a way to do something that you could do with the Kazaa/Morpheus clients software anyway
Is there any directory traversal technique that I can use to see files outside of the shared kazaa/morpheus folder?
... you have filenames present that contain high ASCII characters. I have personally observed this on many occasions, just by way of using the old Kazaa websearch to locate files on shared drives. Go to the host IP address to see what else was available from that host, and sometimes not only the MP3s offered, but also every single file on the HD was visible and readable.
The common factor observed in ALL cases was ANY file present with high ASCII in the filename. (I'd guess mostly or entirely on Win32 systems using an Oriental character set, judging by the MP3s present.)
Note: I do not have Kazaa installed myself, nor any of its kin. I was viewing these unexpectedly available files with plain old Netscape 3.
There were complaints about similar events on the Kazaa "report bugs" forum. (After reading that forum for a while, no way in hell would I install the Kazaa client -- since it also had a habit of randomly wiping out files on some systems.)
Anyway, it wouldn't surprise me at all if Morpheus has a similar bug.
~REZ~ #43301. Who'd fake being me anyway?
I realize this is the same thing that everyone else is saying, but it's just HTTP (a protocal ...) on a different port. Woop-dee-doo. Have any of you watched Morpheus traffic on a firewall, though? It's rather amusing how close they got to being completely oblivious to a casual sys admin like myself. The client appears to change mp3 file names to .jpg, and send them as http requests on a different port. If they had put it on port 80 I probably wouldn't have caught it 'back in the day'.
... but I've been known to pull that much webdata from a website before. And if you really want to get hardcore (for the hardcore content checking firewalls) you could change the header information in the files so that they appeared as jpgs, or html files. Super shneeky.
If you really want to make a 'hidden service', you'd make the client break the files up into smaller packages (much like warez RARs), name them random files from the Internet Cache folder, send them on port 80, include a file that tells the receiving end how to put them back together, and you'd be set. It would just look like someone was browsing the Internet. It would be four megabytes worth of webdata
~LoudMusic
No sig for you. YOU GET NO SIG!
Wow it looks like those crackers cited by BBC are really top notch! They've certainly got people-management skillz like Mitnik, if my reading of the BBC article has anything to say..
It should be obvious to anybody reading this thing that the "random list of shared personal filez" and such is a big user booboo. Obviously some people are st00p1d enough to leave personal details n docs in a shared folder..
How much did the RIAA pay to get this posted?
A worm???
Like Code Red? Or NIMDA?
This sounds like some crack addled reporters posing as computer hackers.
Scenario 1: There is a hole and it will be confirmed through trustworthy channels. It is a buffer overflow or http path traversal problem. The reporters or editors got confused when the brainiacs described it to them and attempted to describe it in terms everyone understands, hence a coding mistake from FastTrak or Morpheus being described as a 'worm'.
Scenario 2: There is a worm exploiting Morpheus. Fat chance the first we hear of this is from BBC.
Scenario 3: They discovered that Morpheus uses http over port 1214 as a transport layer and were amazed to find out that some people have shared their entire hard drive. Wanna find everyone that has their entire hard drive shared? Just search for some windows component that shouldn't be shared. Try it, you'll be amazed. Others have covered this in greater detail, including variations that make even more sense.
Scenario 4: Conspiracy. Also more details in other posts.
Bleh!
Big whoop, with Direct Connect any user can not only download, but can also RUN any file on any users hard drive.
It is a huge security hole. (Direct Connect has next to no authentication of, uh, anything)
Only think is that only one user has the utility that is able to do this and he is not giving it out to anybody else.
Suffice to say though everybody is scared shitless of him. When he walks into a HUB everybody else zips up and doesn't say a word.
Need help treating your acne? Come here!
For more info on exactly what is going on, see these following links:
http://www.securityfocus.org/archive/1/211663
scott
I assume you refer to me as a malicious troll. If you had taken just a moment out of your time to check my user info, you would have seen that I am not a troll. In fact I'm a long-time slashdotter who has long ago reached the karma cap.
Did you think my post was at +2 because it got moderated up? Once again, you could have easially found out that I post at +2 and got moderated down on this one several times.
In the future, try not to bash someone (or moderate them down as the case may be) just because you dislike or disagree with what they have to say.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Does this include sending reports of security holes to high-profile news sites?
not_cub
q='echo "q=$s$q$s;s=$b$s;b=$b$b;$q"';s=\';b=\\;echo "q=$s$q$s;s=$b$s;b=$b$b;$q"
This security 'hole' has been exploited since the middle of last year by the Free Software giFT project.
Although the project's primary goal is to provide a Free alternative to the FastTrack network, giFT includes a tool that scans arbitrary IP address ranges on port 1214 and indexes the results, offering the discovered files through either an http or Gtk+ interface. It's a waste of bandwidth, but some would argue that it gets the work done.
I hope people support giFT in creating a secure, Free Sofware alternative to FastTrack. All these stories of spyware and root holes (even if unsubstantiated) are quite disturbing.