Morpheus security hole

TallBill

Lifer
Apr 29, 2001
46,044
62
91
o well.. i have absolutely nothing on my computer worth worrying about... wait a minute.. i dont use morpehus anyways ;)
 

bugsysiegel

Golden Member
Jan 11, 2001
1,213
1
81
Hmmm, this could get ugly quickly. It seems to me to be inherintly <sp?> dangerous to let other people snoop your puter with programs like this in the first place. But it would be nice to think there are some competant programmers out there who could prevent these holes from constantly popping up (Hello.... Microsoft! Listening?)
 
Apr 5, 2000
13,256
1
0


<< But it would be nice to think there are some competant programmers out there who could prevent these holes from constantly popping up (Hello.... Microsoft! Listening?) >>



People with enough knowledge can hack Linux and Unix as easily as they can Windows. It's impossible to safeguard everything from security holes.
 

tm37

Lifer
Jan 24, 2001
12,436
1
0
I find it hard to believe that people using morpoues would be interested in doing anything illegal like taking or looking at something that isn't their's
 

Zim Hosein

Super Moderator | Elite Member
Super Moderator
Nov 27, 1999
64,788
373
126


<< so if i don't run the program, they won't be able to access it right? >>



Correct.
 

Z24

Senior member
Oct 19, 1999
611
0
0
Anybody find anything more technical than a BBC news report?
 

Nocturnal

Lifer
Jan 8, 2002
18,927
0
76
This is old. I knew about this last year sometime. I used to play around with it, but no longer do.
 

DefRef

Diamond Member
Nov 9, 2000
4,041
1
81
Someone in another thread mentioned that Ars Technica wrote about it and it appears to be just moron users sharing out their whole drives.
 

Cooltech2k

Banned
Feb 9, 2001
2,001
1
0


<< Someone in another thread mentioned that Ars Technica wrote about it and it appears to be just moron users sharing out their whole drives >>



This Wouldnt Surprise Me...
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Only users of FAT filesystems are affected, and the bug affects all FastTrack users not just Morpheus (e.g. Grokster, Kazaa, Refo-search). Quote from a tech support post at Zeropaid:



<< Yes. We have confirmed the reports that Morpheus does indeed contain the security hole. Our programmers are working diligently on a fix and we hope to have it ready within the week. We have found that the exploit does in fact allow a malicious user to gain access to the root level of the Morpheus user's C: drive and therefore gain write access to private files on the user's entire system, not just the shared folder.

We have determined that the reason why only some systems are affected, is that the flaw does not seem to work on Windows XP systems. We believe this is due to the fact that XP uses the NTFS file system and has security settings in effect. Windows98, 95, and WinME systems are vulnerable.


(Note: Although it will sometimes run, Morpheus is not recommended for Windows XP due to additional problems with compatibility. WIndows XP compatibility is expected in our future 2.0 release this spring.)


The Kazaa program, and Grokster which share the same code, are also affected. We apologize for any inconvenience this has caused you and we assure you we are working as fast as we can to arrive at a solution. We will post the security fix on the Grokster site where we have posted another security tool, at the following url: (Link)


We hope to provide you with the best filesharing program out there and we assure you that we will have the issue taken care of shortly.


Thank you,

-Paul Sarsfield,
Tech Support
MusicCity Morpheus
"Gamer" MusicCity Op
>>



edit-

<< I find it hard to believe that people using morpoues would be interested in doing anything illegal like taking or looking at something that isn't their's >>


Does the name Recording Industry Association of America ring a bell?? They've made their motives public that they would love to find a way to hack into P2P users' drives and delete files, copy personally identifiable information, etc.. Protect what's your's, but don't stop using P2P apps in fear of what the RIAA, MPAA, and whoever wants to do with users' info.
 

Descartes

Lifer
Oct 10, 1999
13,968
2
0


<< But it would be nice to think there are some competant programmers out there who could prevent these holes from constantly popping up (Hello.... Microsoft! Listening?) >>



Are you dense? Are you trying to say Microsoft could prevent something like this? It's people like you that continue to slander Microsoft out of complete and total ignorance. "Competent programmers?" Now you're judging what constitutes a competent programmer, yet you think Microsoft is responsible for the quality control of third-party applications installed by the end-user? Lets use an analogy...

Consumer purchases a Ford automobile.
Consumer drives automobile off cliff.
Damn Ford! I guess they didn't include the utopian bubble package...



<< "We're not sure what it is that makes some Morpheus members vulnerable to this," said one, who asked to remain anonymous. >>



Hmm, they can exploit the hole, yet they don't know what makes them vulnerable?? Hmmmm.. yah, that makes sense! Sounds like propaganda to scare Morpheus users away if you ask me. Either that, or the "group" wants to keep the actual source of the hole private so that they can release some "reference code" to all the script kiddies around the world.

[edit]Ok, I guess the hole was declared legitimate, but I'm still leaving my comments :)[/edit]
 

CraigRT

Lifer
Jun 16, 2000
31,440
5
0
Morpheus is dog dung anyways, that was the most cluttered crappy sharing client i have used.. booooo....
 

darkjester

Golden Member
Aug 14, 2001
1,424
0
0


<< But it would be nice to think there are some competant programmers out there who could prevent these holes from constantly popping up (Hello.... Microsoft! Listening?) >>


The problem is that you are assuming Microsoft programmers are all security-competent. Let's face facts here... Every version of Windows has been plagued with TONS of security holes. Well, actually, I'm not too sure about XP, but I really think it's just a matter of time. And I'm not MS-bashing. I use Win2K exclusively and I'm really happy with it, but I'm aware it's not the most secure platform out there.
 

AnthraX101

Senior member
Oct 7, 2001
771
0
0
Got r00t?

*points and laughs at all those who arn't using WinXP (And if you are using P2P, cost isn't an excuse!!!)*

Armani
 

ucdnam

Golden Member
Jan 28, 2000
1,059
0
0
Morpheus is secure with the factory install. It accesses the file listing via a HTTP request on port (whatever, I don't remember). Anyway, only dummies would go into the configuration and decide to share their entire C drive. That's like going into any server (ftp, http, etc) and doing the same thing.. it'll be just as insecure.

Nothing to cry about here people.
 

reitz

Elite Member
Oct 11, 1999
3,878
2
76
I believe it's actually an old security hole that I read about in a BugTrack report about 6 months ago.

Try this:

Open up Morpheus, and start a download from another user.
Then open a command prompt, and type 'netstat'
Look for connections that end in ...:1214.
Copy one of the hostnames (including the port) and paste it into a browser window, making sure to include the http://

It should bring up a listing of most, if not all, of the shared files a user has on his hard drive in a browser window. You can then right-click on any file listed, and save it to your machine. It's fairly worthless, though, unless the user has a very high upload, since you loose the ability to download the same file from multiple users to speed up the download. The only time I use that "security hole" is when I want to give someone access to files on my machine, without installing and configuring an FTP server.
 

QueHuong

Platinum Member
Nov 21, 2001
2,098
0
0


<< Try this:

Open up Morpheus, and start a download from another user.
Then open a command prompt, and type 'netstat'
Look for connections that end in ...:1214.
Copy one of the hostnames (including the port) and paste it into a browser window, making sure to include the http://
>>



I tried it and it worked. But how is it any different from "Find more files from this user" feature in Morpheus?
 

ucdnam

Golden Member
Jan 28, 2000
1,059
0
0
It's not different, that's why no one should be crying. It's equivalent to going to your browser and typing ftp://user@password:ip. Yea, it'll show you what the user wants you to. Big whoopie.
 

Lucky

Lifer
Nov 26, 2000
13,126
1
0
wtf?


Morpheus on security leak
posted by Jorge on February 06, 2002 @ 01:19am
Morpheus posted this notice Tuesday about how the latest news that Morpheus has a major security leak: "Several stories have been printed, leading with a story that was printed in the BBC Online, reporting a security leak in Morpheus. The report is not true - The report of a security hole in Morpheus is FALSE.
THIS REPORT IS FALSE

The report was allegedly made by an ?anonymous? security consultant. Neither this consultant nor any others have contacted StreamCast directly to report a breach in security.
Several false postings have been made on behalf of StreamCast and Morpheus. One was reported by a source named Paul Sarsfield, who claimed to be a ?Morpheus? employee. StreamCast does not employ any person by that name, nor have any StreamCast employees or company representatives posted any responses to this matter.
There has never been a security breech in Morpheus since its introduction in April 2001. "