Worrying security 'hole' in Kazaa / Kazaa Lite

[imported_Phil]

Hi all,

If you have Kazaa / Kazaa Lite running with some files shared, I suggest you find out your IP address ("ipconfig" in W2k/XP or "ipcfg" in 95/98/ME), and enter your IP address into Internet Explorer.

Bingo, there's the files that you're sharing, which, to me, seems to indicate that Kazaa sets up its own web server on your machine. Maybe someone could check this out, anyone with two machines? It's kinda worrying...

Cheers,

Dopefiend

 

[oniq]

Using Kazaa Lite on my PC, don't see a server running from my laptop...

 

[CTho9305]

Originally posted by: DopeFiend
Hi all,

If you have Kazaa / Kazaa Lite running with some files shared, I suggest you find out your IP address ("ipconfig" in W2k/XP or "ipcfg" in 95/98/ME), and enter your IP address into Internet Explorer.

Bingo, there's the files that you're sharing, which, to me, seems to indicate that Kazaa sets up its own web server on your machine. Maybe someone could check this out, anyone with two machines? It's kinda worrying...

Cheers,

Dopefiend

Duh... how do you think files are shared? A simple way to do it is set up a webserver and use standard, established protocols for file transfer. You're sharing the files anyway - whats wrong with sharing it using a standard protocol? By the way, you'll usually have to specify a port (http://localhost:xyz where xyz is the kazaa port)

 

[bsobel]

It's kinda worrying...

Because....? As someone pointed out, how do you think the files are getting shared? You seemed bothered that another client besides Kazaa and can access the files. You should only be concerned with how secure the Kazaa server is, not care what client someone uses to connect to it.

Bill

 

[johnlog]

If you have Kazaa lite installed you got a bonus along with it. You now have a robot on your computer sending to some site everything you do with your computer and records all your keystrokes.

Uninstalling Kazaa does not uninstall its robot. Tough luck.

I understand the later paid for versions no longer include the BOT. I would not count on that though.

 

[bsobel]

If you have Kazaa lite installed you got a bonus along with it. You now have a robot on your computer sending to some site everything you do with your computer and records all your keystrokes.

Please provide a reference link to backup your accusation. I believe your just posting incorrect information in the thread, likely something you saw somewhere else and misunderstood (or was just plain wrong). While Kazaa has been accused of including spyware, the including programs do not do the items your accusing Kazaa lite of doing.

Bill

 

[BennyD]

bam, kazaa lite

 

[johnlog]

>>Please provide a reference link to backup your accusation. I believe your just posting incorrect information in the thread, likely something you saw somewhere else and misunderstood (or was just plain wrong). While Kazaa has been accused of including spyware, the including programs do not do the items your accusing Kazaa lite of doing. <<

I read about Kazaa and its installing a robot on a computer that has that program installed in PC Magazine a few months ago. I no longer have that magazine. That was quite well publicized so I am surprised so many do not know about it. They even had an interview with the owner or CEO of Kazaa and he admitted they secretly install the robot. Apparantly he was takeing to court and had to remove the spy robot from their newer software. But I doubt that.

Probably a program like Ad-aware 6 could find and remove that spy program from your computer.

 

[Nothinman]

Kazaa has always come with spyware, Kazaa lite (which isn't produced by the same people) doesn't have the spyware.

 

[MasterSamwise]

Interesting

 

[Saltin]

I read about Kazaa and its installing a robot on a computer that has that program installed in PC Magazine a few months ago

The real question is...."does that robot also steal your medication?"

Kazaa installs various sundry spyware.

Kazaa Lite does not.

 

[bsobel]

I read about Kazaa and its installing a robot on a computer that has that program installed in PC Magazine a few months ago. I no longer have that magazine. That was quite well publicized so I am surprised so many do not know about it. They even had an interview with the owner or CEO of Kazaa and he admitted they secretly install the robot. Apparantly he was takeing to court and had to remove the spy robot from their newer software. But I doubt that. Probably a program like Ad-aware 6 could find and remove that spy program from your computer.

Kazaa and Kazaa lite are two different things. Kazaa lite doesn't contain the spyware. Kazaa, which did, doesn't do the things you claimed it did. You can easily find information on what Kazaa did install, I suggest you check google before posting on the subject again.

Bill

 

[styrafoam]

I think he is probably refering to the Brilliant Digital player, which Kazaa never said what they intended to do with but had the ability to download and run software without direct consent (kinda like what everyone speculates DRM/TCPA will be like). It was going to be some kind of secondary trading network if I remember correctly.

 

[imported_Phil]

Well thanks for some intelligent replies from some people about this.
Let's clear some things up here.

I'm running Kazaa Lite, I haven't been looking on Google for this information, I discovered it while I was messing around last night.

I didn't specify a port number, I simply entered my IP address into IE6.

I'm concerned as to how secure this sharing is, and if Kazaa is broadcasting downloadable files on a webserver on installed machines- given the intelligence and capabilities of today's hackers, I wouldn't be surprised if someone can hack that sharing to allow direct access to any files on that machine. I don't have anything to back that up, but it is worrying nontheless.

I would appreciate it if some more people can simply try entering their IP address into their web browser to see if their files are showing, no port number etc. (Thank you oniq for being the only person to actually try this).

Is no-one worried about this? I can't believe that people are happy to have their files shared on what appears to be an open file server for all and sundry to see, especially if Kazaa's sharing isn't that secure. The sharing of shared files itself is not what's worrying me, it's the fact that Kazaa has setup a rudimentary webserver on my machine.

Intelligent (read: no more "duh" posts please) replies would be appreciated.

Dopefiend

 

[EeyoreX]

Why would I be worried that some client (IE) can access the files I am sharing on purpose? Did IE allow you to access files you were not sharing? You say IE lists the files you are sharing, can you access them with IE? I think if one is purposely sharing files, no matter the software they are using to share it, the should reasonably expect that the files would be shared, so this does not concern me. If it did, I would not share files. If my files were listed/available while I was not sharing them, then I'd worry. Unless I am mistaken, when you share files it opens up a port so files shared can get out and there is no way to "post security" and tell all other clients they have no access to the port you opened.

I guess if you had said

"If you have no file sharing software, or server software running ...

... Bingo, there's a list of files..."

Then, I'd worry.

\Dan

 

[imported_Phil]

Yes, you can access the files, they're all clickable working links.

I would not be worried that those files were being shared, unless someone develops an exploit that allows, say, the root of C:\ to be shared without you enabling it.
That's what this post was about.

Dopefiend

 

[CTho9305]

Originally posted by: DopeFiend
Yes, you can access the files, they're all clickable working links.

I would not be worried that those files were being shared, unless someone develops an exploit that allows, say, the root of C:\ to be shared without you enabling it.
That's what this post was about.

Dopefiend

...something all programs are vulnerable to, regardless of protocol used.

 

[bsobel]

I would not be worried that those files were being shared, unless someone develops an exploit that allows, say, the root of C:\ to be shared without you enabling it.
That's what this post was about.

Your purposely sharing files on your machine because your runnia Kazaa on it. If your concerned with the implementation of the Kazaa server, simply turn it off and don't use it. That is really your only choice. The fact that Kazaa uses standard protocols and that IE can also see your files doesn't matter at all in that decision. Your trying to place some benefit in having a closed client, there is *none*. You can never assume the client is secure (or even the other end of the connection is using the client your expect). Therefore your only concern can be the server.

What I don't get is why you weren't asking the same question before you saw your files shared via IE, you had to realize that Kazaa was sharing files to other people.

Bill

 

[VicodiN]

I dont get it... If youre soo worrying about your computer's security, why would you be 'file sharing' in the first place?

 

[imported_Phil]

I give up.
I didn't ask before, because I figured that the files I was purposely sharing, and only those files, would be available through Kazaa, through whatever authentication/security process they have. I'm not against these files I have being shared.

What I am against is Kazaa running AN OPEN WEBSERVER ON MY MACHINE!!! Does NO-ONE understand this!? Webservers GET HACKED! Webservers are VULNERABLE- more so than a file-sharing program!

Jesus.

Dopefiend

 

[Booter]

What I am against is Kazaa running AN OPEN WEBSERVER ON MY MACHINE!!! Does NO-ONE understand this!? Webservers GET HACKED! Webservers are VULNERABLE- more so than a file-sharing program!

yep there is a diffrence there alright. If you want to share files with other kazaa lite users thats one thing, but sharing files with whoever gets your ip address is another.

Just to verify, i have kazaa lite installed but i can't access the shared files through my ipaddress like you are describing (i use winxpprosp1). whats your Operating System? and do you have any firewall installed?

 

[bsobel]

Originally posted by: DopeFiend
I give up. I didn't ask before, because I figured that the files I was purposely sharing, and only those files, would be available through Kazaa, through whatever authentication/security process they have. I'm not against these files I have being shared. What I am against is Kazaa running AN OPEN WEBSERVER ON MY MACHINE!!! Does NO-ONE understand this!? Webservers GET HACKED! Webservers are VULNERABLE- more so than a file-sharing program! Jesus. Dopefiend

and

yep there is a diffrence there alright. If you want to share files with other kazaa lite users thats one thing, but sharing files with whoever gets your ip address is another

and highlighting the whopper

Webservers are VULNERABLE- more so than a file-sharing program

Ok, I'm going to be blunt, please dont' be offended. You simply do not understand computer security.

1) Kazaa is an open non-authenticated file sharing platform. It acts as a client and server on your computer.
2) Applications that accept connections are, by definition, more vulnerable to remote attacks than those than initiate them.
3) Saying that webservers are more vulnerable than xyz server is an untrue statement. It's simpy wrong to suggest that a proprietary protocol here is any more secure than a public one. In most cases, the public ones have turned out to be more secure anyway. Developers who roll there own protocols often think they are smarter than the standards bodies, and generally they are not.
4) You can not presume (and your trying hard to) that the remote client is also Kazaa. You *must* presume the remote client is completely hostile and *actively* attempting to break you. Once you understand that, you realize it doesn't matter if the client is another Kazaa client or IE.
5) Your making the presumption that since IE is able to access the files that Kazaa has installed a full web sever (e.g. IIS or Apache). Those products tend to get into trouble not due to their file serving capability, but rather to the 100 other tasks that get loaded on top of them (for example IIS and the remote printing exploit or various scriptable ASP exploits). Kazaa is serving files only, there is no capability to do these 'additional' tasks.

Bill

 

[johnlog]

Dopefiend,

>>If you have Kazaa / Kazaa Lite running with some files shared, I suggest you find out your IP address ("ipconfig" in W2k/XP or "ipcfg" in 95/98/ME), and enter your IP address into Internet Explorer.

Bingo, there's the files that you're sharing, which, to me, seems to indicate that Kazaa sets up its own web server on your machine. Maybe someone could check this out, anyone with two machines? It's kinda worrying... <<<

If you have ZoneAlarm Pro 3x installed it gives you an option to let a program be a server or not be a server. You can still access the program but it no longer can be a server on your machine. I do not know how perfectly ZAP 3 is but it does allow you several options for each program you are running that accesses the internet.

Even so I still would not want to install Kazaa just that they may have figured out a way to defeat ZAP 3's protection.

 

[Booter]

i cant browse my kazaa lite shared files from my ipaddress regardless if my firewall is on or off.

 

[MGMorden]

Originally posted by: johnlog
Dopefiend,

>>If you have Kazaa / Kazaa Lite running with some files shared, I suggest you find out your IP address ("ipconfig" in W2k/XP or "ipcfg" in 95/98/ME), and enter your IP address into Internet Explorer.

Bingo, there's the files that you're sharing, which, to me, seems to indicate that Kazaa sets up its own web server on your machine. Maybe someone could check this out, anyone with two machines? It's kinda worrying... <<<

If you have ZoneAlarm Pro 3x installed it gives you an option to let a program be a server or not be a server. You can still access the program but it no longer can be a server on your machine. I do not know how perfectly ZAP 3 is but it does allow you several options for each program you are running that accesses the internet.

Even so I still would not want to install Kazaa just that they may have figured out a way to defeat ZAP 3's protection.

Dang. I haven't visited this board in weeks (maybe months) and you're still around giving plain idiotic advice. ZAP is a firewall, and there's many others out there (Kerio comes to mind since it's the one I use, and Windows XP has one built in). For a program to intentionally bypass a firewall (and more specifically, a specific brand of firewall), it would be construed as hacking the machine it's on, and could possibly be a) labeled as a trojan thereby incurring legal (read: criminal, not the civil variety P2P companies normally try) penalties, or b) I'm sure such a thing violated the horrible (but not in this instance) DMCA and would incur further legal penalties.


Back on topic: yes webservers get hacked, but so does everything else. Virtually every application that accesses the 'net from your machine opens up even more potential secuirity holes. Just as webservers can be hacked (and by association Kazaa), so can any other P2P program or really anything on your computer. The only realy secure computer is one that's not connected to a network (and according to my systems admin instructor, the only way to REALLY secure it is to encase the machine in concrete and drop it in the middle of the pacific, and even that's not 100% ).