LimeWire Gnutella Client Directory Traversal and File Disclosure
16 Mar. 2005
Summary
"LimeWire is a file sharing program running on the Gnutella Network. It is open standard software running on an open protocol, free for the public to use. LimeWire allows you to share any file such as mp3s, avis, jpgs, tiffs, etc. Limewire is written in Java, and will run on Windows, Macintosh, Linux, Sun, and other computing platforms."
Recent versions of the LimeWire client contain vulnerabilities that allow a remote user to access many or all files on a users machine.
Credit:
The information has been provided by Kevin Walsh.
Vulnerable Systems:
* LimeWire versions 4.1.2 up to 4.5.6 are vulnerable to File Disclosure
* LimeWire versions 3.9.6 up to 4.6.0 are vulnerable to Directory Traversal
Immune Systems:
* LimeWire version 4.6.0 (File Disclosure)
* LimeWire version 4.8.0 (Directory Traversal)
File Disclosure Vulnerability (Inappropriate handling of "resource get" requests):
A remote attacker can request and read any file on a host running an affected version of LimeWire. Gnutella "push style" requests is also vulnerable under most conditions, and therefore a local firewall does not prevent the attack. The files accessible to a remote attacker include all of the user's private, local files, and any file on the machine if the user has administrator privileges, a common scenario in Windows. The handling of "resource get" requests is the immediate cause of the problem. A request of the form "/gnutella/res/[filename]" returns the named file. For example, one can telnet to a LimeWire client using the default LimeWire port and type the following text: GET /gnutella/res/C:\Windows\win.ini HTTP/1.1
User-Agent: I-AM-AN-ATTACKER/1.0
Host: 0.0.0.0:0
Accept: */*
Connection: Keep-Alive
The result is that the LimeWire client reads the file "C:\Windows\win.ini" and sends it over the network. Similarly, the attacker may request "/gnutella/res//etc/passwd" on Linux or UNIX-based machines. This attack has been tested and confirmed on Linux and Windows 2000 platforms.
Workaround:
This problem has been fixed in the recently released LimeWire versions 4.6.0 and later, which were released promptly by Lime Wire LLC after notification of the vulnerability.
Directory Traversal Vulnerability (Inappropriate handling of "magnet" requests):
A remote attacker can request and read any file on a host running an affected version of LimeWire. The attacker need only be able to connect to the LimeWire client "magnet" TCP port (default port, or a port chosen from a modest range if default is not available). Gnutella "push style" requests are not vulnerable, so a firewall that blocks access to the magnet port blocks the attack. The files accessible to a remote attacker include all of the user's private, local files, and any file on the machine if the user has administrator privileges.
The handling of "magnet" requests is the immediate cause of the problem. A request of the form "/magnet10/[rel-filename]" returns the named file, relative to the "root" subdirectory of the LimeWire installation, regardless of if it is in the "root" directory, or indeed even part of the Limewire package. For example, one can telnet to a LimeWire client and issue an HTTP request "GET /magnet10/../../../../../Windows/Win.ini?Simple-test"
This example assumes that LimeWire is installed in its default installation directory. The result is that the LimeWire client reads the file "C:\Windows\win.ini" and sends it over the network. Similarly attacks work on Linux or UNIX-based machines. The attack has been tested and confirmed on Linux and Windows 2000 platforms, using several versions of LimeWire.
Workaround:
This problem has been fixed in the recently released LimeWire versions 4.8.0 and later, which were released promptly by Lime Wire LLC notification of the vulnerability.
