A Serious Security Vulnerability Found in BearShare (Directory Traversal)
29 Apr. 2001
BearShare is a Windows file sharing program from Free Peers, Inc. that lets you, your friends, and everyone in the world share files. A serious security vulnerability in the product allows remote attackers to download any file on the local disk, even if it hasn't been added to the shared list.
BearShare 2.2.2 and prior (Windows 95/98/ME) with its Web Site feature enabled
BearShare 2.2.3 and above (Windows 95/98/ME)
BearShare running under Windows NT/2000
BearShare with its Web Site feature disabled
A security vulnerability in BearShare allows remote attackers to access files that reside outside the upload root provided by BearShare. This would allow a remote attacker to download any file without restrictions. The vulnerability resides in their BearShare's Web Site feature.
BearShare has provided protection against the classic dotdot ('..') attack, but they did insufficient filtering, and thus it is possible to chain together a large amount of dots bypassing the standard protection.
This attack does not seem to work against Windows 2000 machines, and also not all file types can be downloaded (for example, .avi and .mpg files will not be downloaded). The vendor has not provided information about which platforms are vulnerable and which file types can be downloaded.
This would download the win.ini file from the windows directory.
Vendor has released a new version that fixes this problem. Users are encouraged to download and install it as soon as possible.
Disabling BearShare's Web Site feature would prevent this vulnerability from happening and is generally recommended.
Free Peers, Inc have responded by releasing a new version of the product, but ignored our request for more information about the vulnerability and its impact. In addition, they did not bother to notify us about the release of the new version, all this when we were waiting for their comments before releasing this advisory.