Home page logo

bugtraq logo Bugtraq mailing list archives

Audiogalaxy.com mp3 sharing software
From: altomo () NUDEHACKERS COM
Date: Tue, 9 Jan 2001 15:16:33 -0000

This was mentioned to Audiogalaxy several months ago, after a long
converstation via email it was noted that a problem did exist and something
*might* be done to fix it. Seems they have gone with our suggestion and fixed

1. What is Audiogalaxy.com?
Audiogalaxy.com is a website devoted to mp3's that ofers a mp3 sharing
program. (I use this over napster)

2. Problem?
While this problem will not stop the world or allow the script kiddies
to ./wu their way through us, its a problem none the less.  Versions of
Audiogalaxy Satelite software pre .601W for windows held the username and
password for a users account in a plain text file within the audiogalaxy
directory on their system.  While if an intruder gained this information only
the list of songs in the download que (which is stored on the server) would
be compromised, this could have other effects.

2a.  theory one 1.  Gain the username and password for a users acct. Intruder
modies the download que so that when the user comes online they will download
a "mp3" from the intruders system.   The mp3 is actually something else. ie.
virus or back orifice or similar program.  If the user ran the mp3 directly
then of course the infection would start. --lets examine this a little
further. Evil intruder steals password and username. Edits download que.
User runs fake mp3 which is back orifice. User gets keylogged.  User is
goverment employee who telnets  (telnet bad) into secure goverment system.
Goverment system not secure anymore.  Web site gets defaced. Oh no the
kiddies can use this.

2b. theory two. 2.  Many users use a common password and this is the point
that i brought to Audiogalaxy.  While its not their problem if a user does
this, why not help out.  If the user had their Audiogalaxy username and
password compromised then its possible other things get compromised.

3. Solution

Upgrade to the newest version which has been out for sometime, and in general
use different passwords.

Note- I have not checked the Linux version for any problems, if someone gets
to it before I do pleae let me know.

altomo () nudehackers com

Nudie News:  sorry for the extreme down time, we are working hard to make a
strong come back.  As of today our servers are being moved so another minor
down time will occur.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]