[20511] in bugtraq
A Serious Security Vulnerability Found in BearShare (Directory
daemon@ATHENA.MIT.EDU (Aviram Jenik)
Mon Apr 30 12:40:22 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Message-ID: <063401c0d144$05b3e1b0$fe01a8c0@aviram>
Date: Mon, 30 Apr 2001 09:06:00 +0200
Reply-To: Aviram Jenik <aviram@BEYONDSECURITY.COM>
From: Aviram Jenik <aviram@BEYONDSECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com
SUMMARY
<http://www.bearshare.com/> BearShare is a Windows file sharing program
from Free Peers, Inc. that lets you, your friends, and everyone in the
world share files. A serious security vulnerability in the product allows
remote attackers to download any file on the local disk, even if it hasn't
been added to the shared list.
DETAILS
Vulnerable systems:
BearShare 2.2.2 and prior (Windows 95/98/ME) with its Web Site feature
enabled
Immune systems:
BearShare 2.2.3 and above (Windows 95/98/ME)
BearShare running under Windows NT/2000
BearShare with its Web Site feature disabled
A security vulnerability in BearShare allows remote attackers to access
files that reside outside the upload root provided by BearShare. This
would allow a remote attacker to download any file without restrictions.
The vulnerability resides in their BearShare's Web Site feature.
BearShare has provided protection against the classic dotdot ('..')
attack, but they did insufficient filtering, and thus it is possible to
chain together a large amount of dots bypassing the standard protection.
This attack does not seem to work against Windows 2000 machines, and also
not all file types can be downloaded (for example, .avi and .mpg files
will not be downloaded). The vendor has not provided information about
which platforms are vulnerable and which file types can be downloaded.
Example:
http://vulnerable:6346/........../windows/win.ini
This would download the win.ini file from the windows directory.
Solution:
Vendor has released a new version that fixes this problem. Users are
encouraged to download and install it as soon as possible.
Workaround:
Disabling BearShare's Web Site feature would prevent this vulnerability
from happening and is generally recommended.
Vendor response:
Free Peers, Inc have responded by releasing a new version of the product,
but ignored our request for more information about the vulnerability and
its impact. In addition, they did not bother to notify us about the
release of the new version, all this when we were waiting for their
comments before releasing this advisory.
ADDITIONAL INFORMATION
This security hole was discovered by <mailto:gluckninja@yahoo.com> Gluck
Ninja.
The information has been provided by <mailto:experts@secuiteam.com>
SecuriTeam Experts.
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
