Bugtraq mailing list archives
Security issue in Scour client
From: jmp () PEAK ORG (Jmp)
Date: Fri, 14 Jul 2000 15:03:24 -0700
OVERVIEW: Scour (www.scour.net) is a file sharing client much like Gnutella and Napster. Scour provides a search engine that is devoted to searching the Scour Community or the web for multimedia files. Use is simple: setup a folder where you download files to and specify folders to share with the rest of the Scour community. The client is coded so that it only returns back multimedia files (mp2,mp3,,vivo,ra,mpeg,etc.) when one browses another user's shared files. Also no wildcards are supported and only file formats hard coded into the client can be searched/viewed/downloaded. PROBLEM: A person already has read access to the shared folders on someone's machine using scour. The file format restrictions can easily be circumvented, since as stated above, they are all hard coded into the client. At present Scour has only released a Win32 client (as well as a user provided perl client), and it is trivial to use a hex editor and simply replace eg. MP2 with FOO or MOO (use your imagination here) or any other file type. Once this is done, the client allows for the user to search for those file types (apparently no CRC checking is done to detect if the binary has been modified or not). This would normally not be a problem, however I have seen quite a few users who share their WINDOWS/ or PROGRAM FILES/ (i.e. sensitive) directories thinking that another user will not be able to download anything else. Thus there are quite a few people out there who are lulled into a false sense of security. A person also need not bother with having to hex edit the binary since Scour has released it's protocol http://www.scour.net/Software/Scour_Exchange/stp-1.0pre6.html thus making it quite easy for anyone who knows how to code and work with sockets, to create their own client. He/she could then quite easily implement and allow for any and all files to be searched/downloaded. I have written to Scour over a month ago concerning this. Their first (and last) email simply asked me how this was a problem. I replied back and wrote to them again two weeks ago telling them that the ball was in their court and if they didnt fix the issue (which they still havent) or atleast put out an advisory I would post to bugtraq so other Scour users could protect themselves. WORKAROUND: I suggested to Scour that they implement filters on their server itself so that only the file types they specified could be searched and downloaded. However I dont know when and if that's going to be happening. So until then I strongly suggest Scour users to get a LOT more picky about which folders they wish to share since a person can see and get anything and everything in those folders. My reason for releasing this information is so that Scour users can protect themselves. I felt it was better if this became public knowledge since I'm quite sure that if I found this little bug, other people would have as well. Hopefully now Scour will fix this now that it's out in the open. Cheers! Jmp
Current thread:
- Security issue in Scour client Jmp (Jul 14)