|
Peer to Peer The 3rd millenium technology! |
|
Thread Tools | Search this Thread | Display Modes |
27-05-03, 08:47 AM | #1 |
Join Date: May 2001
Location: New England
Posts: 10,024
|
'Serious' Vulnerability In KaZaA - Users Urged to Install Patch
Patrick Gray
Users of file sharing programs such as Kazza and iMesh are urged to install a security patch following a discovery of a serious bug in their underlying network. A security researcher recently found a potentially critical vulnerability in the program which drives the FastTrack network. Fastrack is used by peer-to-peer(p2p) software including Kazaa and iMesh. Joltid, the maker of Fastrack, initially said the flaw was not serious, but has since done an about-face and plans to plug the loophole. The makers of Kazaa will release a patch within the next 24 hours and is urging customers to install it "as soon as possible". According to the original security advisory, published on the Full Disclosure security mailing list, attackers can take control of or crash the FastTrack "supernodes" that p2p users connect to. "It's definitely a serious risk. Just ask anyone if executing arbitrary code is a serious risk or not," the researcher told ZDNet Australia. http://asia.cnet.com/newstech/securi...9133858,00.htm |
27-05-03, 09:45 AM | #2 |
yea, it's me.
Join Date: Jan 2002
Location: usa
Posts: 2,093
|
ARRRRRRRRRRRRGGGGGGGGGGGHHHHHHHHHHH!
|
27-05-03, 01:45 PM | #3 |
Thanks for being with arse
Join Date: Jan 2002
Location: The other side of the world
Posts: 10,343
|
im glad the riaa hackers didnt find it...
|
27-05-03, 01:59 PM | #4 |
Join Date: May 2001
Location: New England
Posts: 10,024
|
i'd stay off the network for the next 24/48 hours if i ran a supernode.
- js. The PACKET 0' DEATH FastTrack Network Vulnerability random nut Vulnerability Overview There exists a vulnerability in the FastTrack network core that can be used by an attacker to take control of all FastTrack network supernodes. The attacker can either crash all supernodes or insert arbitrary code in each supernode's address space. Crashing all supernodes means that no-one can search for files on the FT network or connect to the FT network. To protect the FT network from people who want to reverse engineer the protocol, the owners of the FT network added encryption to all supernode packets. The encryption seems to be made by the FT network creators. Nothing else is encrypted, such as files transferred to other users. Vulnerability Information Packet 0 (possibly called "KAZAA_CONNECTION_INFO", but from here on called "Packet 0' death", note the zero) is used to send up to 200 supernode IPs to clients and supernodes. The supernodes' packet 0' death handler (possibly class "supernode_connection_t") is different from the other packet 0' death handlers, and it also contains the buffer overflow bug. The supernode packet 0' death handler assumes only 200 supernode entries can be received, but if you send more you can overwrite the return address and more of the stack. More http://lists.netsys.com/pipermail/fu...ay/009860.html |
27-05-03, 02:34 PM | #5 |
Dawn's private genie
Join Date: May 2001
Location: the Canadian wasteland
Posts: 4,461
|
Kazaa seems to have a little update today http://fileforum.betanews.com/detail.php3?fid=971761196
|
27-05-03, 03:50 PM | #6 | |
Madame Comrade
Join Date: May 2000
Location: Area 25
Posts: 5,587
|
Quote:
Supernode or not, I would advise to stay off FastTrack until a patch has been made available and you hear that it works. Note that it will take some time for FastTrack's multimillion peer user base to patch their clients, so there will be a period of only-partial security - your patched client may still encounter supernodes that are owned by a malicious party. - tg |
|
28-05-03, 10:27 AM | #7 |
Registered User
Join Date: May 2003
Posts: 3
|
I'd find a quiet time to download the update if I were you. I'm in the middle of it and it went down to 0.5 KB/sec for a while, although its running at 7.0 KB/sec now. Not too fast for a broadband connection...
I guess with over 230 million of us wanting to download it things might get a little clogged up. |
28-05-03, 11:01 AM | #8 |
Join Date: May 2001
Location: New England
Posts: 10,024
|
hi mrtoca and welcome to napsterites' p2p-zone!
- js. |
28-05-03, 05:43 PM | #9 |
R.I.P napho 1-31-16
Join Date: Dec 2000
Location: Venus
Posts: 16,723
|
Gee, I get to stay off everything for the next god knows how long.
Thanks for the heads up anyway Mr. Spratts. Oops, almost forgot to welcome mrtoca. Hope you like this place
__________________
I love you napho and I will weep forever.......... |
Thread Tools | Search this Thread |
Display Modes | |
|
|