[plug] Napster - for Linux

Peter F Bradshaw pfb at users.sourceforge.net
Thu Jun 29 17:22:30 WST 2000 

On Wed, 28 Jun 2000, Jason Nicholls wrote:

> G'day John,
> 
> 
> On Wed, Jun 28, 2000 at 01:05:17PM +0800, John Breen wrote:
> > Is anyone aware if there is such a beast?  If so, where can I
> > download it?  I can't find it on the Napster site, so I'm guessing
> > not, but...
> 
> gnapster ;) Try on freshmeant. I even think this comes with RH6.2!

Hi;

You may want to get the latest from the home page. From BugTrac of May 11:

Environment: Intel PII-based System 
             Linux RedHat Version 6.2 
               (may apply to all OS's running Gnapster) 
             Gnapster Version 1.3.8 (and earlier) 
               Gnapster is an open source, independent implementation of 
               the Napster protocol client. 

Problem: It is possible for anyone to obtain any user-readable file by 
         sending a properly formed "GET" command that contains the full 
         path of the file. This vulnerability exists because Gnapster 
         fails to check that the requested file is an explicitly shared 
         MP3 file before providing it. 

         Note: This is the same vulnerability described in 
               FreeBSD-SA-00:18 

         Anyone running Gnapster version 1.3.8 or earlier is vulnerable. 
         Given the IP address and TCP port of a vulnerable client, an 
         attacker can send a request for an arbitrary file to the 
         Gnapster client. If the user has read access to the file, 
         the client will then respond with the contents of the file. 

Solution: We contacted the program's author, and he promptly created 
          a new version which addresses this vulnerability. The fix simply 
          checks that a requested file is in the list of shared files. 
          The current version can be downloaded from: 

       http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz 
                                                                 
Exploit: We have developed an exploit code for this vulnerability, but we 
         will not be releasing it to the public. 

Conclusion: We have described a vulnerability in one client implementation of 
            the Napster protocol. There may be similar problems in other 
            implementations of the protocol as we have not done an 
            exhaustive search. The official Windows client does not seem to 
            be affected. We urge users to upgrade to the latest version of 
            Gnapster.


Cheers

--
Peter F Bradshaw             | http://www.dingoblue.net.au/~pfb
pfb at users.sourceforge.net    | PGP public key at
http://www.pfb.tsx.org       | http://www.dingoblue.net.au/~pfb/public_key.html
                             | "Needs more salt" - Archimedes

More information about the plug mailing list