Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Security Hole in Morpheus 264

Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never actually seen Morpheus, but apparently a lot of readers have! There really isn't a lot of information except that if you're running Morpheus, you might as well consider your hard drive world readable ;)
This discussion has been archived. No new comments can be posted.

Security Hole in Morpheus

Comments Filter:
  • Rats (Score:5, Funny)

    by Mdog ( 25508 ) on Saturday February 02, 2002 @11:28PM (#2944616) Homepage
    This might mean that people could get to my private, copywritten mp3s against my will.
    • ** Grammar Lesson **
      There's a huge difference between "copywritten" and "copyrighted." "Copy," in these words, means two different things.

      In "copywritten," it means text. For example, the text in a magazine advertisement can be called ad copy.

      However, in "copyrighted," the copy refers to duplication. A copyright is a right to copy.

      Someone who writes copy is called a copywriter. Therefore, copywritten would refer to text written by a copywriter, NOT copyrighted property.

      Sorry for the lesson, but I've been seeing it a lot and thought I should do something. :)
  • by damiam ( 409504 )
    This is why people should be supporting open-source file sharing systems such as giFT [sourceforge.net]. This could never happen if we could just see the source code and find/fix these bugs.
  • here is how to do it (Score:1, Informative)

    by DanThe1Man ( 46872 )
    for thouse sript kiddies out there that want to exploit, here is how to do it.

    http://users.pandora.be/lechat/Morpheus%20Exploi t. htm
    • by DanThe1Man ( 46872 ) on Saturday February 02, 2002 @11:39PM (#2944663)
      Since the exploit needs the person to be downloading a file to get in, you can protect yourself by turning off downloads. Do this by going into Tools->options->Traffic and click on Disable sharing of files. This will protect you.
      • I know this is pretty obvious, but if everyone turns off sharing of files, then nothing will be available to download.
      • hey buddy in case you didn't notice (and I know you didn't 'cuz I read your post) there IS no exploit - unless you consider allowing access to EXPLICITLY SHARED FILES with a FILE_SHARING app to be a security hole.
        The REAL protection is to unshare any folders that shouldn't be accessible to the public. Simple, sweet, and common sense. The only way that your private files will be shared in a default installation of Morpheus/FastTrack client is if they are saved to the (newly created) directory.
        Think about it. Read the BBC article. Then try to genuinely *HACK* Morpheus, and if you are successful in your mission I will eat my words with relish.
        Sorry for tone of post, but it needed to be said.
    • by rodbegbie ( 4449 ) on Saturday February 02, 2002 @11:42PM (#2944678) Homepage
      That page doesn't describe the hack -- You can only access files the user has chosen to make available with it.

      rOD.
    • uhh, completely different, and the article was written by a moron. The BBC article says any file on the hard drive.. this just lists the shared ones.. so in other words.. the thing you linked to isn't an exploit at all. Oh my GOD, it sets up a webserver?! A proprietary one so the viruses don't effect it (yet)?! And you can get a list of their shared files? holy shit, you can use the client for that! What does this 'exploit' do, anyway.. besides let you do whatever the program itself does, just not as easily?
    • Um, ok, so according to that web site, you get can get a list of files that user is sharing already... big whoop de doo. How is this any different than picking a user out of the search results in Morpheus, right-clicking, and choosing "find more from same user"?

      What's next, will we see newspapers reporting that all email servers are vulnerable to "hacking" because they can be logged into via telnet?

      Just because you can interact with a service using a client other than the one intended, doesn't mean it's a hack...
    • for thouse sript kiddies out there that want to exploit, here is how to do it.

      http://users.pandora.be/lechat/Morpheus%20Exploit. htm [pandora.be]

      I tried that against a machine running Morpheus, and the only files that were listed were files in directories that I had told Morpheus to share. IOW, the only files made available via HTTP are the same files made available via FastTrack's protocol. Would someone like to explain to me how this constitutes a security hole? IIRC, this feature of Morpheus is documented (don't recall if it can be switched off).

      FWIW, the machine running Morpheus is behind a firewall...HTTP access to it gets blocked anyway. (The little bit of testing I did was from another machine on the LAN.)

      • That is the lamest "exploit" I've ever seen. It's not even an exploit at all.

        Here's a way to do something that you could do with the Kazaa/Morpheus clients software anyway

        Is there any directory traversal technique that I can use to see files outside of the shared kazaa/morpheus folder?
  • fastrack (Score:2, Insightful)

    by minus_273 ( 174041 )
    it just seems to mention morpheous.. what bout fast track and Kaaza which use the same technology.
    all the more reason to use GIFT's open network
    http://gift.sourceforge.net/
    • Re:fastrack (Score:2, Interesting)

      by NetGyver ( 201322 )
      Christ, get a grip. Go into Morpheus, search for a file, right click on the file you want, select "find more of the same=>user" and there you go, every file the user is sharing.

      it's the same damn thing as grabbing their ip with netstat -n in dos (with the port 1214) and plopping it into your browser. Big deal. So instead of using morpheus, you use your browser and a bit more work to look at the contents a user is sharing.

      The person on the other end sharing files, STILL RETAINS CONTROL OF WHAT HE OR SHE **WANTS** TO SHARE. True, some are idiots and share their entire hard drive, but that doesn't matter since you can't upload a damn thing using your browser.

      Your post clearly indicates your ignorance of the topic, as well as a shameless plug for some inferior open source p2p network.

      A penny for my thoughts? Here's my two cents. I got ripped off
  • Since most people that use Morpheus have their harddrives filled to capacity with MP3s and such, and they're already sharing all of that on Moprheus, who cares? :)

    Really though, this is pretty sad since the paranoid people who have been saying that P2P software makes you vulnerable are right in this instance.
  • As far as I can see, this article says nothing about accessing any file. It only mentions the ability to access the shared files list. Of course I haven't tried it, so I could be wrong.
    • BTW I was looking at the note on using the exploit that someone just posted. I should have replied to that one, not the article
      :-)
  • Uhh (Score:1, Informative)

    If this 'hack' is involving connecting to someone's ip via your web browser on port 1214, this is hardly a hack. It just shows the files listed in their already 'Shared Folder', no more no less.
    • This is simply an example of misinformed or intentionally imflammatory reporting. Indeed, no files are exposed other than those that are intentionally shared; the "scary news" is that these files can be accessed through a web browser as well as through Morpheus. Big deal.
      • Well, there's no real evidence that this hack is what the article is talking about. But then, there is no real evidence that the article is talking about anything.

        An unnamed group of "security experts" has contacted the BBC and told them that such-and-such was so. No one is named. No indication that this exploit was demonstrated to anyone. Just raw allegation.

        I thought the BBC Sci-Tech department was better than this.

  • You wouldn't be in this mess

  • Just missed submitting the story myself.

    This finding would appear to be a new development since The Register [theregister.co.uk]'s recent report [theregister.co.uk] suggesting Morpheus "is free of malicious code."

    Caution of another possible security hole in this software was mentioned [tech-report.com] by
    The Tech Report [tech-report.com] precisely 6 months ago today (give or take a time zone or two).

    Looks like this will keep us on our toes for a while.
  • upside is (Score:2, Redundant)

    by NeMon'ess ( 160583 )
    Now troubleshooting any computer with Morpheus over the phone just became much easier.

  • by Robber Baron ( 112304 ) on Saturday February 02, 2002 @11:38PM (#2944656) Homepage
    From the article:
    Security experts have been investigating this problem since coming across it on Friday.

    "We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

    It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."


    Uh huh...rather short on details, arent they?
    Anyone else getting the feeling that this "story" is in fact disinformation that probably originates with RIAA?
    • I agree. They say nearly nothing useful... and whats this about a "worm"? Its a bug/feature, not a worm.
    • Anyone else getting the feeling that this "story" is in fact disinformation that probably originates with RIAA?

      Okay, yeah, that was my first thought, as well. Given all of the flak that MS has gotten over security holes, it is the sort of thing that a dumbshit trying to commit PR sabotage would try and pull off. If you recall that the RIAA let it be known (I don't think the bill was actually submitted) that they want protection against damages they inflict while hacking our hard drives, we can conclude that the RIAA is unscrupulous enough to try something like this.

      Now, firstly, all of that is pretty circumstancial. Smoke and mirrors, hearsay.

      The reason I don't think it was the RIAA is that it wasn't slick enough. The RIAA may not be smart, but they are smooth. Glossy and convincingly packaged. This story reads like a communication between a reporter and his friend, a second rate hacker in a garage somewhere (Hey, I know both of these people!) Second rate hacker says "Hey, I think I've found a security hole in Morpheus! Probably a worm." Reporter says "Can I print that?" Hacker says "Uh.... don't put my name on it."

      Given the tenor of the article, the (frankly obscure) place it shows up, and the lack of exact quotes - an RIAA "agent" would have given smooth reading soundbytes - I think that it's simply a screw up, with no malicious or deceptive intent. Never ascribe to malice what can be explained by stupidity.

      Now, I know, it is still possible that the RIAA was clever enough to figure this out, and figure the way to make it look convincing. It is also possible that this is some sort of RIAA test to see how much attention this thing attracts, before setting off real hoaxes. That, however, is paranoia.

      On the other hand, just because you're paranoid..... doesn't mean that this won't give the RIAA ideas.
  • This has been known for at least a month or so now. There is also a problem with kazaa along the same lines.
  • Greater Risk? (Score:3, Flamebait)

    by webword ( 82711 ) on Saturday February 02, 2002 @11:39PM (#2944662) Homepage
    Perhaps the greater risk is that most file sharing is illegal. I'm not trying to be a jackass here, but that is the reality and probably a bigger threat. Unless you have some seriously good stuff on your hard drive, your songs and videos are less important and less valuable than your freedom if you get busted with illegal MP3's or movies. Plenty of people do it, but that doesn't make it legal.
  • Taken from the Morpheus FAQ at www.musiccity.com/helpfaq.htm [musiccity.com]

    Q: Can I get viruses using Morpheus?

    A: As always when you are downloading or receiving files from the Internet, you must exercise caution. Certain file types may contain viruses or so-called Trojan horses. You should protect yourself by using regularly updated anti-virus software, for example Norton Antivirus (www.norton.com) or McAfee (www.mcafee.com ). Both Norton and McAfee offer free 30-day trial versions that you can download directly from their web sites. Not all file types can contain viruses or Trojans. Music, video, and picture files are generally safe - that includes files with the extensions .mp3, .vaw, .mpg, .avi, .mov, .bmp and .jpg. PDF documents (.pdf) and text files (.txt) are also in general safe. You should be cautious of executable files (.exe) and Microsoft Word and Excel documents (.doc and .xls). These files are specified with a icon in the search results on Morpheus.com. back to the top

    Update Feb. 2 2002: The above warning is the least of your worries.

  • Does this mean that I can get sued for supplying pr0n to s'kiddi3s??
  • What a lack of details in this story! It could have - but I dont suggest it as been - penned by the RIAA.

    The quote, "It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous," contributed by some anonymous figure is a buzzword-injected contradiction. A worm is the opposite of an accident. It seems unlikely that would be the sort of comment from an informed source.

    This story may turn out to be true, but they could not be any lighter 1) details 2) qualified sources.
  • by ekrout ( 139379 ) on Saturday February 02, 2002 @11:41PM (#2944672) Journal
    M ultimedia code
    O rganized
    R ather
    P oorly,
    H enceforth,
    E veryone can
    U se your
    S hit
  • It's a good thing I stopped using that. I used it for a few days but then it stated generating kazaa files. Of course we all know the bad thigns about kazaa, so I stopped using it. I still see winmx as the best file sharing program there is. www.winmx.com. Version 3 is going to be absolutely amazing, if it ever comes out.
    • Re:Good (Score:1, Informative)

      by Anonymous Coward
      I used it for a few days but then it stated (sic) generating kazaa files.

      Perhaps you're talking about the filenames for partial downloads? You do realize that morpheus and kazaa share a p2p system, don't you? Oh, wait; you don't the first fucking clue. Sorry I asked.

  • ARTICLE IS FALSE (Score:5, Interesting)

    by Calle Ballz ( 238584 ) on Saturday February 02, 2002 @11:42PM (#2944675) Homepage
    Whoever these "hackers" didn't fully research before they decided to stroke their own egos and create a scare. I just tested this remotely (yes, on some stranger) and on my own local machine. My findings? You have access to EVERYTHING IN THE FOLDER THEY HAVE SPECIFICALLY SHARED OUT! Yes, you can download through your web browser what you could have downloaded already through Morpheus/Kazaa. Not a worthy exploit in my book, calm down everyone.
    • Quite right.

      In fact, this stuff has been known about for quite some time now. A quick search of Bugtraq came up with this message [securityfocus.com]. It basically says that Fasttrack based clients have a built-in http server. Big deal.

      This sounds more like a misconfiguration issue in the sense that people may be sharing entire harddrives. But until this is discussed and verified in some sort of forum like Bugtraq I wouldn't believe it.

    • Did you try every possible file path, including '..' embedded CRs etc. etc.

      Somehow I suspect you've missed soemthing...
      • Yes. I did. Because at first it seemed to easy, and I figured there was a missing catch. Go ahead, load morpheus on your box, and put in your browser http://127.0.0.1:1214

        Try every combination of things you could possibly do to transverse the shared folder. I didn't find a way, maybe I did miss something but I think a bunch of 12 year old wanna-be hackers thought they stumbled onto something when really they found a window in the front door.
    • Hmmm... yet another story posted along the same theme: I seem to remember a several over the past few months like "Gee, I don't know what this Morpheus thing is, but here's story about it".

      Doesn't help when the story isn't true. I mean this is just as good:

      "Some security experts have reported that this thing called 'a web server' can giver users access to all your files if you set it up to"

      Yeesh.
    • Can you send them code? Can you name it metallica.mp3.com or .scr? if so.... :)
    • by krokodil ( 110356 ) on Sunday February 03, 2002 @01:31AM (#2945007) Homepage
      I guess next time they will announce same bug
      in apache server.
  • I want to see this independantly verified. A short article from one news source that is no more than a bunch of one sentance paragraphs, most of which explain what Morpheus is and some other info about Napster, is not proof.

    FWIW, I use Morpheus quite a bit (always using FairTunes if I keep the song), and I haven't had any problems with it, not spyware, not this, not anything; and I will continue to use it until I see confirmation from at least one other source.

    On the other hand, who knows? Maybe the "Concerned Party" just happens to be paid by one of the **AA's? Think about it. They tell a news org about this "hole" they've discovered, saying, "It's dangerous! Don't use it!", with no proof that would convince even your slightly above average user. Now, us geek types might not flinch, but a whole lot of others out there might. Oh well, just my 2c US.
  • If you are the kind that thinks 'Oh shucks, no big deal', think again.

    If this is any kind of domain controller, remember that your SAM file can be downloaded, and if your system has microsoft network file sharing open or is running any part of the IIS suite, your as good as hacked. It can be downloaded and brute hacked with L0pht crack.

    If you run any of the popular online games such as Quake 3 arena or Return to Castle Wolfenstein, your cd key is stored in plain text. All of a sudden you can't play because it is in use by '3l33t hax0r' 24x7. Other games such as Starcraft and HalfLife keep the key in the registry, which is also accessible. (see above)

    Any kind of online login is vulnerable. These h4x0rz can use your sign in to Amazon.com and "One Click" a library to their address with your credit card. Your online porn accounts, your SSH and PGP private key, the list goes on.

    And lets not forget those pictures of your wife you took with the new digital camera in your bedroom.

    Toodles, who thinks its funny that people feel this is an insignificant security hole, and that the hole in XP was a threat to all mankind.
  • This story seems a little short on details, and in Kazaa - which runs on the same proprietary engine and, I assume, would be vulnerable to the same worms as Morpheus (of course, closed source => I don't know) - you can just check the box next to your hard drive and share all of its contents. Are they certain that the people they've found didn't do that? That said, maybe Kazaa can't get the worm, if there is one, but when I turn sharing off, my friend can't get any files from my computer (just checked now, he's on the phone) at all; if you're worried, have a friend query your username and see what they can get.

    My inner paranoid, who left the fetal position to read the RIAA thread, thinks this is a music industry plot. I want to say that that is totally preposterous, but after they asked for legislation to make it legal for them to hack our hard drives, I can't totally dispel the suspicion.
  • First their was Back Orifice. It got a lot of press, so a lot people downloaded it to see what it was all about. Stupidly, a lot of them ran the self-installing server, which made no mention of the fact that it was installing itself to run at bootup. So, thousands (if not more) people ended up exposing their machines without even knowing it.

    Then there's Windows. People sharing their drives (God knows why you'd share a drive unless you have more than one computer in your house, but who knows), and those people were exposed by Sharesniffer (which seems to have disappeared, otherwise I'd provide a link. It's IP address now resolves to 10.10.10.10).

    Okay, so now there's a flaw in Morpheus that isn't published, and you'd probably have to be a programmer to expose it anyway. Big deal.

    Just my personal opinion, but this isn't too newsworthy.
  • NEWSFLASH: Software that uses the Internet is not secure!! Oh my god NO! This can't be happening!

    A total BGO - "Blinding Glimpse of the Obvious" I mean come on! The day any file sharing software is secure is not happening any time soon. POST DECENT ARTICLES ON SLASHDOT PLEASE.
  • This so-called hole only allows access to the folder of files the Morpheus user specifically designated for sharing.

    If they're not sharing their "My Documents" folder, hackers can't download the files contained in that folder.

    The same goes for a user's Quake 3 directory, Half-Life folder, SAM database, wifey porno pics, etc. If the folders containing these files are not shared through Morpheus, THIS HACK WILL NOT ALLOW ACCESS TO THESE FILES.

    Try it on your own machine and you'll see what I mean.

  • Comment removed based on user account deletion
  • Not A Hack (Score:5, Informative)

    by Muerte23 ( 178626 ) on Saturday February 02, 2002 @11:52PM (#2944713) Journal
    this is not a "hack" or even a "security exploit". it only lets people see what files you have already specifically already shared!

    just HTTP to the person's port 1214 and morpheus (or Kazaa or whatever FastTrack client i suppose) gives you a list of shared files.

    THERE IS NO DANGER FROM THIS "EXPLOIT"

    i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. you could also add port 139 to scan WFW shares while you are at it. you could create your own FastTrack "supernode" with this method, if you were really inclined.

    when i read the story header i thought that it meant that any file on my hard drive was accessible via some nimda/codeRed type exploit. this is not the case.

    VERDICT: story not worth posting.

    Muerte

    • Re:Not A Hack (Score:4, Redundant)

      by Anonymous Coward on Saturday February 02, 2002 @11:57PM (#2944730)
      "i think that someone creative should write a really short perl script to scan IP netblocks on port 1214, connect to HTTP and list the shared files, then create an index. "

      They did. It's called Morpheus. But it's not quite as crude.
      • Already done (Score:3, Informative)

        by AirLace ( 86148 )
        This security 'hole' has been exploited since the middle of last year by the Free Software giFT project [sourceforge.net].
        Although the project's primary goal is to provide a Free alternative to the FastTrack network, giFT includes a tool that scans arbitrary IP address ranges on port 1214 and indexes the results, offering the discovered files through either an http or Gtk+ interface. It's a waste of bandwidth, but some would argue that it gets the work done.
        I hope people support giFT in creating a secure, Free Sofware alternative to FastTrack. All these stories of spyware and root holes (even if unsubstantiated) are quite disturbing.
    • Re:Not A Hack (Score:3, Informative)

      by skt ( 248449 )
      I don't really understand why people keep saying this. The BBC article doesn't mention anything about the http server built into morpheus clients. It says:

      Using the Morpheus program, they found a way of getting a random list of people using the service. They could then obtain details of the content of a user's hard drive and make copies of any file. "We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

      If you were referring to the 'exploit' someone posted earlier about pointing a web browser at a node, then that obviously isn't any kind of exploit. However, the issue they mention in the article sounds very different.. the article even mentions a worm.. They also say that not all users are affected, the issue you describe would affect everyone (assuming no firewall that blocks connections to 1214).

      • Re:Not A Hack (Score:4, Informative)

        by ncc74656 ( 45571 ) <scott@alfter.us> on Sunday February 03, 2002 @03:11AM (#2945188) Homepage Journal
        Using the Morpheus program, they found a way of getting a random list of people using the service.

        Search for something with Morpheus and it'll come back with a list of hosts that have it. If it communicates with those hosts directly, you can get their IPs with netstat -n.

        They could then obtain details of the content of a user's hard drive and make copies of any file.

        Morpheus has an option within the program that does this...you can select one of the search results and tell Morpheus to go looking for whatever else that user has shared. You can download any available file through the Morpheus interface or from the HTTP server that the remote Morpheus puts up on port 1214.

        "We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous.

        How about "some dumbshit's stupid enough to tell Morpheus to share C:\ and everything underneath it"?

        The story is either a hoax or is FUD of some sort. You wouldn't think the Beeb would screw up this badly, but nobody's perfect.

      • A Worm??? (Score:3, Interesting)

        by crisco ( 4669 )
        "It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."

        A worm???

        Like Code Red? Or NIMDA?

        This sounds like some crack addled reporters posing as computer hackers.

        Scenario 1: There is a hole and it will be confirmed through trustworthy channels. It is a buffer overflow or http path traversal problem. The reporters or editors got confused when the brainiacs described it to them and attempted to describe it in terms everyone understands, hence a coding mistake from FastTrak or Morpheus being described as a 'worm'.

        Scenario 2: There is a worm exploiting Morpheus. Fat chance the first we hear of this is from BBC.

        Scenario 3: They discovered that Morpheus uses http over port 1214 as a transport layer and were amazed to find out that some people have shared their entire hard drive. Wanna find everyone that has their entire hard drive shared? Just search for some windows component that shouldn't be shared. Try it, you'll be amazed. Others have covered this in greater detail, including variations that make even more sense.

        Scenario 4: Conspiracy. Also more details in other posts.

        • Assuming a moron reporter, I could see a buffer overflow being described as "like the Code Red worm", and the reporter getting it that way. But then, the worm statement is given as a quote, and one assumes that reporters don't just make up quotes. But heck, maybe this one did. I can't see anyone with even an inkling of security knowledge making ANY of the statements in the article. Maybe some script kiddies r00t kit happened to trigger the overflow?
    • Actually, according to this [tech-report.com], it sounds like the problem is that the http server doesn't obey the other rules you set, i.e. to share or not share certain file types, bandwidth limits, number of upload limits, etc.

      As far as being able to access any file on your hard drive, I haven't found anything about that. This also appears to be fairly old news.

      • Actually, according to this [tech-report.com], it sounds like the problem is that the http server doesn't obey the other rules you set, i.e. to share or not share certain file types, bandwidth limits, number of upload limits, etc.

        I would speculate that the people who posted that are idiots. The guy who had Zone Alarm Pro must have clicked OK when it asked if Morpheus could act as a server, and yet he is shocked that he is able to access it as a client, "penetrating" Zone Alarm Pro.

        Since HTTP is the normal method used by Morpheus for file transfers, it is doubtful that the restrictions Morpheus imposes on outgoing connections do not apply just because you use a different HTTP client. I have in fact tested myself and determined that it does not share files you don't choose to share, that it respects limits on both bandwidth and number of uploads, and that such transfers are listed under Uploads on the Morpheus server like any other outgoing transfer.

        In short, this is the normal method Morpheus uses for peer-to-peer connections, not an exploit.

  • "We're not sure what it is that makes some Morpheus members vulnerable to this" Could it be that those users were just stupid enough to tell morpheus to share their entire c: drive? It wouldn't surprise me...
  • Re: (Score:2, Informative)

    Comment removed based on user account deletion
  • I guess I should stop making fun of my brother for using Kazaa.

    Spyware > Insecure

    or

    Insecure > Spyware?!

  • I'm sorry but this is just totally unsurprising to me, and one of the reasons that I don't install P2P apps.
  • Remember this feature in Napster? "Show me all shared files for this user".
  • I'm thinking this wouldn't affect you if you have file sharing on morpheus off? A one way street is always safer than a two way...
  • From http://users.pandora.be/lechat/Morpheus%20Exploit. htm [pandora.be]:

    4. Exploit

    Here are the steps for exploiting this hole:

    1. Open M/K.
    2. Search for anything you'd like to download.
    3. Start downloading it.
    4. Open a MS-DOS prompt and type "netstat -n" without the quoting marks. (This
    should display all the active connections with IP numbers, not hostnames).
    You should get something like 'xxx.xxx.xxx.xxx:1214" in the 'Foreign Address' column.
    Where xxx.xxx.xxx.xxx is an IP Address.
    5. Open your webbrowser and type in 'http://xxx.xxx.xxx.xxx:1214' and press enter.
    6. Voila! You got the list of the shared files from xxx.xxx.xxx.xxx. Now you can download
    any file you want, however if the user is full (meaning that he's got no more slots left)
    you wont be able to download anything.


    Err... isn't the same as Right Mouse Button -> Find from the same -> User built into Morpheous?

    -Bill
    • Err... isn't the same as Right Mouse Button -> Find from the same -> User built into Morpheous?

      Yeah, but if you do it the slightly harder way, you're a 1337 hacker.

  • by Lendrick ( 314723 ) on Sunday February 03, 2002 @12:21AM (#2944809) Homepage Journal
    I guess Agent Smith's job just got a lot easier.
  • Wow...a file sharing client has an HTTP server on a non-standard port. I hope for the slashdot editors sake that they don't perform in bed like they perform at their jobs. "No no don't go baby I'm sorry. Let's try again this time I'll hold it in."
  • If the security analysts that contacted the BBC are referring to this [pandora.be] problem. There isn't much to look at. Being a .com with little money they needed a protocol to exchange files with and they chose some form of http.

    If you are running morpheus or kazaa or whatever client of the fasttrack network you can try this: open up your browser and type "http://localhost:1214"

    you will see an index of all the files you are currently sharing. Just for fun you can also try to download files. If you know of a friend who is running kazaa or morpheus, find his ip and place in the place of localhost. See if he has any good pr0n.

    I seriously doubt this constitutes a breach of security it doesn't reveal any information that isn't available already.

    that's it. move along.
  • the big hack is actually a variation of "finding more from user" option in morpheus. when following the instructions you are only shown files that are specifically shares. sounds more like a big flop to me...

  • by cscx ( 541332 ) on Sunday February 03, 2002 @12:47AM (#2944899) Homepage
    After close inspection, I have found this security hole to also exist in Apache Web Server, Microsoft Internet Information Server, ProFTPD, and wu-ftpd, along with various Windows FTP servers.

    It's called "being an friggin idiot and setting the server root to /". However, just like Morpheus and Kazaa, it only takes place under special conditions, notably when "Directory Browsing" is turned on in Apache, called "Virtual Directory Browsing" in IIS.

    This bug, previously encountered before, is casually referred to as the "idiot-moron exploit." Tell me you've never seen .doc files shared on WinMX, et al before. Of course for Apache, IIS, etc, your file permissions have to be set correctly... However, Kazaa runs as the current user, so it only has access to whatever the current user does.... SHARING EXPLICITLY WHAT IS IN THAT DIRECTORY! So, say, for example, I "accidentally" place naked_picture_of_my_cute_girlfriend.jpeg in "My Shared Folder".... It's not a freakin' bug if someone has access to that!

    Kazaa has always used HTTP as its protocol, and this "interface", should you call it, it probably what it uses to get that respective user's database of files. Duh. Click on them, and look at all their files in Kazaa, or use a web browser. Hardly a difference. Unless of course the docroot is C:\. But then again, is that an exploit??? This is ridiculous. Please Slashdot, check the validity of the articles before posting!! :)

  • by hyrdra ( 260687 ) on Sunday February 03, 2002 @01:09AM (#2944953) Homepage Journal
    I've known about this so-called exploit for months. I often use it to quickly check to see if a specific user has any files shared, and what files they are. Basically, its the same as a Bearshare or Limeware HTTP server listing shared files and providing links to donwload.

    This comes from the fact that the FastTrack protocol transfers and requests files via the HTTP protocol, thus any HTTP speaking application (such as a web browser) should be able to do the same as a Morpheus client, which is really only a fancy web browser.

    In fact, the OpenFTP has a program which does in fact scan IP address ranges from the 1214 port number, indexes the files, and then provides these for searching on the OpenFT network. They even have a memory-dump function which dumps the entire memory block of the Linux KazAa client kza (no longer available), and searches for IP addresses to index.

    I would question the so-called 'group' the BBC contacted. It's either an ultra-liberal doomsday security group like that of Steve Gibson or is a very good (?) attempt by the RIAA to scare people off the FT network, which now has peaked at over 700,000 connected nodes.

    But as for a security threat, there is no concern. The only files accessible on the internal web server are those which have been specifically selected to be shared, and a dynamic wwwroot is then generated based on selected directories (usually just My Shared Files).
  • ...may not make a difference with this hack.

    Since the "hack" apparently allows downloads via HTTP, my guess is that Morpheus's built-in queue for those downloading from you will no effect... thus if you find yourself trying to download a file but are stuck in someone's queue, this might be a way to get around that and begin the download immediately.

    If you're behind a NAT firewall you're probably protected because a direct HTTP connection is required.

    I haven't verified anything yet, but initial observation supports my theory... now back to testing.
    • Not true. Attempting to download a file directly from port 1214 of a machine which already has maximum downloads results in a 503 Service Unavailable error. Using direct HTTP seems to produce almost identical results to using the FastTrack clients.
  • by Reziac ( 43301 ) on Sunday February 03, 2002 @03:08AM (#2945185) Homepage Journal
    ... you have filenames present that contain high ASCII characters. I have personally observed this on many occasions, just by way of using the old Kazaa websearch to locate files on shared drives. Go to the host IP address to see what else was available from that host, and sometimes not only the MP3s offered, but also every single file on the HD was visible and readable.

    The common factor observed in ALL cases was ANY file present with high ASCII in the filename. (I'd guess mostly or entirely on Win32 systems using an Oriental character set, judging by the MP3s present.)

    Note: I do not have Kazaa installed myself, nor any of its kin. I was viewing these unexpectedly available files with plain old Netscape 3.

    There were complaints about similar events on the Kazaa "report bugs" forum. (After reading that forum for a while, no way in hell would I install the Kazaa client -- since it also had a habit of randomly wiping out files on some systems.)

    Anyway, it wouldn't surprise me at all if Morpheus has a similar bug.
    • I just tried to duplicate this on my machine, creating files with names cut and pasted from a Japanese language website. Also shifted my local to Japan. Morpheus still only listed the files it was supposed to list.
      Disabling sharing and then reconnecting to the localhost displayed a blank HTML page. I don't see any flaws here. Tried a variety of directory traversal tricks and they all failed. I suppose there could be a buffer overflow...
  • by LoudMusic ( 199347 ) on Sunday February 03, 2002 @03:35AM (#2945238)
    I realize this is the same thing that everyone else is saying, but it's just HTTP (a protocal ...) on a different port. Woop-dee-doo. Have any of you watched Morpheus traffic on a firewall, though? It's rather amusing how close they got to being completely oblivious to a casual sys admin like myself. The client appears to change mp3 file names to .jpg, and send them as http requests on a different port. If they had put it on port 80 I probably wouldn't have caught it 'back in the day'.

    If you really want to make a 'hidden service', you'd make the client break the files up into smaller packages (much like warez RARs), name them random files from the Internet Cache folder, send them on port 80, include a file that tells the receiving end how to put them back together, and you'd be set. It would just look like someone was browsing the Internet. It would be four megabytes worth of webdata ... but I've been known to pull that much webdata from a website before. And if you really want to get hardcore (for the hardcore content checking firewalls) you could change the header information in the files so that they appeared as jpgs, or html files. Super shneeky.

    ~LoudMusic
  • Wow it looks like those crackers cited by BBC are really top notch! They've certainly got people-management skillz like Mitnik, if my reading of the BBC article has anything to say..
    It should be obvious to anybody reading this thing that the "random list of shared personal filez" and such is a big user booboo. Obviously some people are st00p1d enough to leave personal details n docs in a shared folder..
    How much did the RIAA pay to get this posted?
  • Big whoop, with Direct Connect any user can not only download, but can also RUN any file on any users hard drive.

    It is a huge security hole. (Direct Connect has next to no authentication of, uh, anything)

    Only think is that only one user has the utility that is able to do this and he is not giving it out to anybody else.

    Suffice to say though everybody is scared shitless of him. When he walks into a HUB everybody else zips up and doesn't say a word.
  • For more info on exactly what is going on, see these following links:

    http://www.securityfocus.org/archive/1/211663 [securityfocus.org]
  • The Recording Industry Association of America, which spearheaded the fight against Napster, is reportedly looking at ways it can tackle these new methods of file-sharing
    Does this include sending reports of security holes to high-profile news sites?

    not_cub

HOLY MACRO!

Working...