Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole in Morpheus

Posted by CmdrTaco on from the your-hard-drive-is-an-open-book dept.

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)

8 of 264 comments (clear)

  1. Rats by Mdog · · Score: 5, Funny

    This might mean that people could get to my private, copywritten mp3s against my will.

    --
    Slashdot 's editors are dickheads
  2. Disinformation anyone? by Robber+Baron · · Score: 5, Troll

    From the article:
    Security experts have been investigating this problem since coming across it on Friday.

    "We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

    It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."

    Uh huh...rather short on details, arent they?
    Anyone else getting the feeling that this "story" is in fact disinformation that probably originates with RIAA?

    --

    You're using her as bait, Master!

  3. M.O.R.P.H.E.U.S. by ekrout · · Score: 5, Funny

    M ultimedia code
    O rganized
    R ather
    P oorly,
    H enceforth,
    E veryone can
    U se your
    S hit

    --

    If you celebrate Xmas, befriend me (538
  4. ARTICLE IS FALSE by Calle+Ballz · · Score: 5, Interesting

    Whoever these "hackers" didn't fully research before they decided to stroke their own egos and create a scare. I just tested this remotely (yes, on some stranger) and on my own local machine. My findings? You have access to EVERYTHING IN THE FOLDER THEY HAVE SPECIFICALLY SHARED OUT! Yes, you can download through your web browser what you could have downloaded already through Morpheus/Kazaa. Not a worthy exploit in my book, calm down everyone.

    1. Re:ARTICLE IS FALSE by krokodil · · Score: 5, Funny

      I guess next time they will announce same bug
      in apache server.

  5. Not A Hack by Muerte23 · · Score: 5, Informative
    this is not a "hack" or even a "security exploit". it only lets people see what files you have already specifically already shared!

    just HTTP to the person's port 1214 and morpheus (or Kazaa or whatever FastTrack client i suppose) gives you a list of shared files.

    THERE IS NO DANGER FROM THIS "EXPLOIT"

    i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. you could also add port 139 to scan WFW shares while you are at it. you could create your own FastTrack "supernode" with this method, if you were really inclined.

    when i read the story header i thought that it meant that any file on my hard drive was accessible via some nimda/codeRed type exploit. this is not the case.

    VERDICT: story not worth posting.

    Muerte

  6. EXPLOIT? Don't think so... by hyrdra · · Score: 5, Informative

    I've known about this so-called exploit for months. I often use it to quickly check to see if a specific user has any files shared, and what files they are. Basically, its the same as a Bearshare or Limeware HTTP server listing shared files and providing links to donwload.

    This comes from the fact that the FastTrack protocol transfers and requests files via the HTTP protocol, thus any HTTP speaking application (such as a web browser) should be able to do the same as a Morpheus client, which is really only a fancy web browser.

    In fact, the OpenFTP has a program which does in fact scan IP address ranges from the 1214 port number, indexes the files, and then provides these for searching on the OpenFT network. They even have a memory-dump function which dumps the entire memory block of the Linux KazAa client kza (no longer available), and searches for IP addresses to index.

    I would question the so-called 'group' the BBC contacted. It's either an ultra-liberal doomsday security group like that of Steve Gibson or is a very good (?) attempt by the RIAA to scare people off the FT network, which now has peaked at over 700,000 connected nodes.

    But as for a security threat, there is no concern. The only files accessible on the internal web server are those which have been specifically selected to be shared, and a dynamic wwwroot is then generated based on selected directories (usually just My Shared Files).

    --


    "I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
  7. Kazaa makes files world-readable if .... by Reziac · · Score: 5, Informative

    ... you have filenames present that contain high ASCII characters. I have personally observed this on many occasions, just by way of using the old Kazaa websearch to locate files on shared drives. Go to the host IP address to see what else was available from that host, and sometimes not only the MP3s offered, but also every single file on the HD was visible and readable.

    The common factor observed in ALL cases was ANY file present with high ASCII in the filename. (I'd guess mostly or entirely on Win32 systems using an Oriental character set, judging by the MP3s present.)

    Note: I do not have Kazaa installed myself, nor any of its kin. I was viewing these unexpectedly available files with plain old Netscape 3.

    There were complaints about similar events on the Kazaa "report bugs" forum. (After reading that forum for a while, no way in hell would I install the Kazaa client -- since it also had a habit of randomly wiping out files on some systems.)

    Anyway, it wouldn't surprise me at all if Morpheus has a similar bug.

    --
    ~REZ~ #43301. Who'd fake being me anyway?