LimeWire Gnutella client two vulnerabilities
Summary:
Recent versions of the LimeWire client contain vulnerabilities that allow a
remote user access to many or all files on a users machine. LimeWire is a
popular client for the Gnutella filesharing network.
Vulnerability 1 - Inappropriate Handling of "resource get" requests.
Symptom:A remote attacker can request and read any file on a host running an
affected version of LimeWire. Gnutella "push style" requests also vulnerable
under most conditions, and therefore a local firewall does not prevent the
attack. The files accessible to a remote attacker include all of the user's
private, local files, and any file on the machine if the user has administrator
privileges, a common scenario in Windows.
Versions affected: LimeWire versions 4.1.2 - 4.5.6, inclusive.
Details: The handling of "resource get" requests is the immediate cause of the
problem. A request of the form "/gnutella/res/[filename]" returns the named
file. For example, one can telnet to a LimeWire client using the default
LimeWire port and type the following text:
GET /gnutella/res/C:\Windows\win.ini HTTP/1.1
User-Agent: I-AM-AN-ATTACKER/1.0
Host: 0.0.0.0:0
Accept: */*
Connection: Keep-Alive
The result is that the LimeWire client reads the file "C:\Windows\win.ini" and
sends it over the network. Similarly, the attacker may request
"/gnutella/res//etc/passwd" on Linux or unix-based machines. This attack has
been tested and confirmed on Linux and Windows 2000 platforms.
Remedies: This problem has been fixed in the recently released LimeWire
versions 4.6.0 and later, which were released promptly by Lime Wire LLC after
we informed them of the vulnerability.
Vulnerability 02 - Inappropriate Handling of "magnet" requests.
Symptom:A remote attacker can request and read any file on a host running an
affected version of LimeWire. The attacker need only be able to connect to the
LimeWire client "magnet" TCP port (default port, or a port chosen from a modest
range if default is not available). Gnutella "push style" requests are not
vulnerable, so a firewall that blocks access to the magnet port blocks the
attack. The files accessible to a remote attacker include all of the user's
private, local files, and any file on the machine if the user has administrator
privileges.
Versions affected: LimeWire versions 3.9.6 - 4.6.0, inclusive.
Details: Details: The handling of "magnet" requests is the immediate cause of
the problem. A request of the form "/magnet10/[rel-filename]" returns the named
file, relative to the "root" subdirectory of the LimeWire installation,
regardless of if it is in the "root" directory, or indeed even part of the
Limewire package. For example, one can telnet to a LimeWire client and issue an
HTTP request
?GET /magnet10/../../../../../Windows/Win.ini?Simple-test?
This example assumes that LimeWire is installed in its default installation
directory. The result is that the LimeWire client reads the file
"C:\Windows\win.ini" and sends it over the network. Similarly attacks work on
Linux or unix-based machines. The attack has been tested and confirmed on Linux
and Windows 2000 platforms, using several versions of LimeWire.
Remedies: This problem has been fixed in the recently released LimeWire
versions 4.8.0 and later, which were released promptly by Lime Wire LLC after
we informed them of the vulnerability.