You're right. I really should try this before posting. But here it is:
Do all Gnutella "clients" have a look at the IP of the "server" that pushes a requested file to it, or would they accept a push from anywhere? Obviously, you didn't understand what I meant. Something like this. 1. I am a piece of code in an evil Gnutella client. I see that host A searches for the file lots_of_porn.zip, and that host B answers the query. 2. Host A tries to connect to host B for a download, but, nah, B's refusing the connection. A tries to make B push the file. But A is not aware of the IP that B will push from. I see the push request floating by on the network. 3. I, the evil client, open a connection to the IP/port that A has opened for the push, and send something really evil there. 4. The user at host A gets really surprised when he see the nude-pics of his grandma, and has a stroke.
Is this possible? Of course, one should never execute unknown code, and who knows that B's porn is better than my evil porn?
Slashdot Mirror
You're right. I really should try this before posting. But here it is:
Do all Gnutella "clients" have a look at the IP of the "server" that pushes a requested file to it, or would they accept a push from anywhere? Obviously, you didn't understand what I meant. Something like this.
1. I am a piece of code in an evil Gnutella client. I see that host A searches for the file lots_of_porn.zip, and that host B answers the query.
2. Host A tries to connect to host B for a download, but, nah, B's refusing the connection. A tries to make B push the file. But A is not aware of the IP that B will push from. I see the push request floating by on the network.
3. I, the evil client, open a connection to the IP/port that A has opened for the push, and send something really evil there.
4. The user at host A gets really surprised when he see the nude-pics of his grandma, and has a stroke.
Is this possible? Of course, one should never execute unknown code, and who knows that B's porn is better than my evil porn?
Just a thought.