P2P Networking

Discussion in 'other security issues & news' started by ajcstr, Nov 4, 2004.

Thread Status:
Not open for further replies.
  1. ajcstr

    ajcstr Registered Member

    Oct 28, 2004
    Not sure if this is the right forum, but... Helping a friend clean computer I noticed these P2P networking folders under documents and settings, also a network connection called P2P networking. Also firewall activity under P2P networking. Is this "normal" BearShare activity or is this something else? As I say this is not my computer, so I can only work on it from time to time. Browser is hijacked. we deleted about 70 items so far through Spybot and McAfee AV, but this P2P Networking did not show up on either. Will be getting a hijack this log, but ws hoping to get a head start.
  2. nadirah

    nadirah Registered Member

    Oct 14, 2003
    My advice to your friend: UNINSTALL ALL P2P programs from the computer.
    P2P programs are extremely dangerous.
  3. still_longhorn

    still_longhorn Registered Member

    Oct 3, 2004
    How dangerous? I could be wrong about this but it seems your friend's P2P involves BadBlue, a P2P file sharing application distributed by Working Resources. Nevertheless, consider these:

    1. The ext.dll ISAPI does not sufficiently sanitize input. Because of this, it is possible for a user to create a custom URL containing script code that, when viewed in a browser by another user, will result in the execution of the script code. This could allow for the execution of malicious JavaScript in the context of a trusted site.
    2. It is designed for use on Microsoft Windows operating systems. BadBlue is operated through a web interface, generated by an included web server running on the local system.
    A variant to V-5086 has been reported to exist. Reportedly, EXT.DLL has been re-designed to pass user input to the cleanSearchString function. Unfortunately, this function is implemented as client side javascript, and unsanitized input must be displayed on the client machine as it is passed to the cleanSearchString function.
    Additionally, user supplied input is displayed as the hidden form value "a0" without being sanitized
    3. It has been discovered that a request passed to a BadBlue server containing a null byte at the end of a file name will return the contents of the file. This type of request can be applied to gain access to sensitive information, such as the BadBlue configuration file.
    4. BadBlue does not sufficiently control access to the administrative interface. It is possible to remotely add the entire drive of a system running a vulnerable BadBlue implementation via a maliciously crafted web page containing a form POST method. This would allow remote users to via the contents of the drive with the privileges of the BadBlue server.
    5. BadBlue does not cryptographically protect stored passwords. Passwords contained in the configuration file are stored in plain text. They may be read by simply viewing the file.
    6. Typically, a request made in BadBlue for a directory that has access control restrictions in place will either prompt a user for authentication credentials or deny access to the resources. However, by submitting a special request to the server, it is possible to circumvent these access control restrictions. It has been reported that domain names ending with a double slash allow this activity.

    The point made by most security professionals is based on the concept of the "chain only being as strong as its weakest link." A good hacker needs only to use this weakest link as entry to the entire P2P network.
Thread Status:
Not open for further replies.