Morpheus Users - Sharing More Than They Think?

[JackSpratts]

Ever since MusicCity (now Streamcast) tanked their old opennap client and replaced it w/Morpheus, rumors have floated around concerning a security flaw having to do with IP numbers and hard drive access. A lot of us spent considerable time and energy shooting it down, pointing out that it's really nothing more than a typical P2P in normal operation.

Well, things may have changed recently, as this news report suggests. On the other hand, maybe not. So far the lack of detailed information makes it too early to tell.

- js.

[TankGirl]

If this is not a hoax, it is worrying news... BUT the story is very vague, referring to unidentified 'secury experts' that had obviously contacted BBC News Online directly before publishing any details of their findings in security-related bulletins... and BBC's comment sounds odd and uninformed to say the least:"It's definitely an accident from Morpheus' side, probably a worm. This is very dangerous."

If there is anything real to it, we should know in a few days from more reliable sources.

- tg

[Malk-a-mite]

Lame

Sorry - started playing around with this a bit.

It's not a bug, it's not an exploit - it's just lame.

Start a download, then at a dos prompt type "netstat -n"

Look for IP address followed by 1214

Take said address a put it in a browser.
Bamf - all the shared files.

But only the files the person had shared.

And yes some people are dumb and share there C drives.

Tested it out on whoever this poor person is:
http://xxx.xxx.142.63:1214/ <- who is now offline

Edit:
Trying to helping and not just complain :)
http://securityfocus.com/archive/1/211663

[Malk-a-mite]

:)

[BuzzB2K]

Malk-a-mite
Well from that first file there he is apparently a KaZaA user. I tried several times to explain to people what those "blank" downloads were (No UserName showing in uploads, just files being uploaded.)

As Malk-a-mite pointed out, All you can access is whatever is being shared! If you are sharing your "C:\Drive" or The entire contents of "My Documents" then maybe you are at some risk.

If you have everything set up correctly (as in only sharing files and folders that you WANT to share) you are at no more risk with Morpheus then with any other filesharing program.

If you want to see how many people on your particular node are at risk, try searching for *.pwl and see how many are actually sharing their Windows directory...

[JackSpratts]

thanks for the posts buzz, tg & malk. as malks' screen print illustrates, that IP trick only pulls up what morpheus users are sharing in the first place – but it sure is a lot more complicated than just letting morpheus do it!

the netstat -n exploit has been around since april and it doesn't give you anything off a drive morpheus user's aren't already allowing you to have. you're basically looking at how morpheus works - it's a IE based app. to work this hack your target has to be on morpheus and transferring in order for you to scan his drive but you can do that normally by checking “find more from user”! if that's what this is then the bbc has been snookered - probably by a pro-winmx group at that haha!

the article does darkly suggest they're getting user names a different way. so maybe they're doing “resume.dat” searches, but it also suggests they're going deeper into peoples' hard drives than the IP paste in IE ever went. it certainly sounds bad alright...

well it's late but here's my guess:

people who are trying to cause a bit of trouble towards morpheus (could be anyone – giFT – winmx – riaa - ignorant “experts”? well meaning dopes - who knows…) are re-posting the old IP trick and if so then so what, it's nothing new.

to make it sound new (and scary), they're doing a "resume.dat" scan to view ALL the current users on a supernode (well, 100 anyway or whatever your search limit is - it can be a bit higher). it sounds evil but again so what, that's what the program is supposed to do; query all users connected to a node.

finally, they're confusing a common user mistake; sharing the entire contents of a hard drive, with some sort of Morpheus vulnerability. people have been inadvertently putting their whole hard drives on Morpheus since the beginning, but that's a user mistake made on all file-sharing clients (that allow you to share everything). it's never been unique to Morpheus. new users scream about it of course on xolox, blubster, gnucleus, bearshare and the rest.

so if this is the case then the alert is about nothing more than the old spooky hack that's been around since april '01 and was – and is – totally benign. it's a fun and harmless “shortcut”. sure, it takes longer to do than what the client will do anyway, but it uses IE & Morpheus, instead of IE-based morpheus alone, and if that makes it kind of cool, it doesn't also make it bad.

- js.

[BuzzB2K]

Quote:

Originally posted by BuzzB2K
If you want to see how many people on your particular node are at risk, try searching for *.pwl and see how many are actually sharing their Windows directory...

I just tried the above search and only found 20 people sharing their passwords.
Couldn't find any of those credit card numbers those "experts" found though.

[Mowzer]

.

[indiana_jones]

hi
it often happens, that if i tried to download a file, it at once says

"More sources needed".

my theory is, that anything ever imported to "My Media" has its records in the .dbb files. - even if you remove it, the records stay.

i just want to know, if all things in the .dbb files still show up in the search results.

if so then it is for sure a security hazard for users, who ever used the "Import Bastard" or the "Select All" function and corrected it afterwards to share all files, but do not know about the dbb files.
(because even many filenames contain the real names of the users, or the urls they surfed)

do you have an idea, how to find out about the search results
or have a sure proof, my theory is simply nonsense.

indy

[Mowzer]

.

[zombywoof]

Another thing about open kazaa connections. If anyone has ever used Copernic as your search engine tool, if you were to do an mp3 search, one of the bots would come up is a bot that searches for kazaa users. Once the search was completed and you found songs available, all you had to do was click on the link which provided the IP number and port 1214 and start downloading via the web browser. I believe this has changed as of late because Copernic searches these days do not search thru the kazaa bot. Must have been updated or something.

[indiana_jones]

thanks for the link,

but is this really a security problem? okay a hacker could use all my bandwidth but he doesn't get private data form me.

I think the most security risks come from those easy to use "click click" features, like i.e. automatically importing some things - which simply make people stop thinking about what they are really doing.

I mean, if one had ripped or downloaded 100 mp3's and morpheus says that he shares 10000 (as users who share their whole computer usually do) then he should think a bit, that there must be something wrong.

i think the ratio of people sharing files (500000) to people reading forums or helps (500) is 1000:1 and this is the biggest security problem of this system - using something, but being not informed or do not know how to get informed.

with this i dont want to imply that people are stupid - it's just that computer and internet is getting to be used like phone or tv or car - and i dont care much about how my car works - as long as it works. but it seems as if it's not quite such simple.



indy

[JackSpratts]

Quote:

Originally posted by indiana_jones


i think the ratio of people sharing files (500000) to people reading forums or helps (500) is 1000:1 and this is the biggest security problem of this system - using something, but being not informed or do not know how to get informed.

indy

good point as indicated by the quality of the posts, the amount of informed users here at nu is high indeed. excellent work everyone!

- js.

[JohnDoe345]

Quote:

Originally posted by indiana_jones

i think the ratio of people sharing files (500000) to people reading forums or helps (500) is 1000:1 and this is the biggest security problem of this system - using something, but being not informed or do not know how to get informed.

with this i dont want to imply that people are stupid - it's just that computer and internet is getting to be used like phone or tv or car - and i dont care much about how my car works - as long as it works. but it seems as if it's not quite such simple.

Very good point indy. Some users don't know anything about how to use computers except maybe to turn it on and use programs that have been shown to them by a friend or someone. I've met some of these people first hand, and I'm sure the users sharing their whole hard drive are one of these people.

This whole security issue isn't really too new to me. My firewall constantly tells me that users try to access port 1214 when Morpheus is turned off. That's another thing, a lot of broadband users on Morpheus don't use firewalls. Either they are naive or they just don't care.

Until there is a hole in Morpheus that let's people acces my whole hard drive and not just Morpheus's "my shared folder" then I will be worried (my firewall stops them anyhow). Although, if that does happen then it would be no different from hackers trying to gain access to my computer. A good firewall will put a stop to that. Just make sure to keep it up to date.

[Mowzer]

*

[BuzzB2K]

Quote:

Originally posted by JackSpratts
Ever since MusicCity (now Streamcast) tanked their old opennap client and replaced it w/Morpheus, rumors have floated around concerning a security flaw having to do with IP numbers and hard drive access. A lot of us spent considerable time and energy shooting it down, pointing out that it's really nothing more than a typical P2P in normal operation.

Well, things may have changed recently, as this news report suggests. On the other hand, maybe not. So far the lack of detailed information makes it too early to tell.

- js.

Does anyone know if this guy is for real? Quoted from ZeroPaid.

Quote:

PAUL SARSFIELD - MUSICCITY TECHNICAL SUPPORT | February 3, 2002 @ 2:37 am | ;
.... | Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)

Yes. We have confirmed the reports that Morpheus does indeed contain the security hole. Our programmers are working diligently on a fix and we hope to have it ready within the week. We have found that the exploit does in fact allow a malicious user to gain access to the root level of the Morpheus user's C: drive and therefore gain write access to private files on the user's entire system, not just the shared folder.
We have determined that the reason why only some systems are affected, is that the flaw does not seem to work on Windows XP systems. We believe this is due to the fact that XP uses the NTFS file system and has security settings in effect. Windows98, 95, and WinME systems are vulnerable.
(Note: Although it will sometimes run, Morpheus is not recommended for Windows XP due to additional problems with compatibility. WIndows XP compatibility is expected in our future 2.0 release this spring.)
The Kazaa program, and Grokster which share the same code, are also affected. We apologize for any inconvenience this has caused you and we assure you we are working as fast as we can to arrive at a solution. We will post the security fix on the Grokster site where we have posted another security tool, at the following url: (Link)
We hope to provide you with the best filesharing program out there and we assure you that we will have the issue taken care of shortly.
Thank you,
-Paul Sarsfield,
Tech Support
MusicCity Morpheus
"Gamer" MusicCity Op
Email: gamer@gamerspage.com

P.S. I do know you can find him on MusicCity Chat in the Help Room. What really is confusing is his post on his Website - Gamerspage.com Learn what you are talking about

[JackSpratts]

Well as the hours pass unfortunately it looks more and more like this is the real thing. Sources at the BBC tell me that they've done their own research and the hack is real, it's different from the old one, it works, and they deliberately withheld salient details in the article to protect their sources and perhaps to keep new hackers from exploiting it -

"Jack,

... as you can understand, we could not give out specific details of the hole in Morpheus. This security hole is different to the bug you mentioned, which relies on a specific computer port. This one involves the use of [a] simple computer command which has now appeared on several websites.

Let me know if you need further details"

So...I've asked for further information - I'd like to find those sites! (anyone?) - We might want to step up the effort on this.

- js.

[JackSpratts]

i just received the hack details momments ago and tested it.

1. it's real.

2. it pulls up the entire drive.

3. it's different from the netstat -n 1214 IE hack.

4. it's dangerous.

5. it's easy.

at this point i'm suspending file sharing with this app and recomending all users do the same. more later.

- js.

[BuzzB2K]

Well then I guess I will quit trying to get it to work. I lost my XP setup last week and have been straightening out the 98 setup I messed up in the process...

Right now Morpheus won't run without crashing so after what you said, until we find out more on this I will leave it that way for now!

[BuzzB2K]

Quote:

Originally posted by JackSpratts
i just received the hack details momments ago and tested it.

1. it's real.

2. it pulls up the entire drive.

3. it's different from the netstat -n 1214 IE hack.

4. it's dangerous.

5. it's easy.

at this point i'm suspending file sharing with this app and recomending all users do the same. more later.

- js.

Does this new exploit only access the root of the drive\partion your "shared" folder is on or does it affect the drive that Morpheus is installed to?

In either case they couldn't get to much on mine because my download directory is not on my sytem drive but is instead on a drive that contains nothing but MP3's...

And I have Morpheus installed on a seperate partition that was formerly my XP sytem drive but now has little more then Morpheus on it... Pretty slim pickings!

Any ideas on this??