 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Tue, 4 Sep 2001 00:42:47 +0200 (CEST)
From: Walter Hop <walter@binity.com>
To: bugtraq@securityfocus.com
Subject: KaZaa/Morpheus non-exploits
[In the past weeks, there have been several reports of "exploits" in
the Kazaa/Morpheus filesharing programs. The original thread has been
killed, but since the original messages might come up in search
engines, I thought it still relevant to explain further that these
are not exploits and there currently is no proof that running the
Morpheus client is dangerous.]
Instead of using an own proprietary protocol, the file-sharing program
Morpheus uses a light-weight HTTP server which is reachable at
http://yourip:1214/ (this should work on Windows 2000 systems as well).
HTTP is used for getting filelists and transferring files. As a nice
side effect, this enables non-Morpheus-users to retrieve files from
Morpheus clients. Some of the HTTP headers display the username, network
name, and node that the Morpheus client is connected to:
> X-Kazaa-Username: {USER NAME HERE}
> X-Kazaa-Network: MusicCity
> X-Kazaa-IP: morpheus.users.ip.address:1214
> X-Kazaa-SupernodeIP: supernode.ip.address:1214
Originally this was used for their browser-based file search tool; this
tool has since disappeared from their website.
Details on Morpheus' architecture can be found here:
http://www.openp2p.com/pub/a/p2p/2001/07/02/morpheus.html?page=2
A negative comment must be made: this feature is poorly documented. I
think not many kids running Morpheus actually know that they have a
web-server running which exposes their user-ID and their files to the
world. (Although I doubt that even when it was documented, people would
actually take the time to read and understand it.)
A firewall could be used to deny these incoming HTTP requests to port
1214; this will also disable transfers to/from some users. (If I recall
correctly, Morpheus does support a "passive" scheme; but at least one of
the two peers involved must accept incoming HTTP requests at the port,
in order for a connection to be established.)
--
Walter Hop <walter@binity.com> | +31 6 24290808 | PGP key ID: 0x84813998
| |||||||||||||||||||||