Vulnerability Development: RE: limewire cookie (among others) disclosure vuln

[Steve Skoronski <skoronski () ctidata com>]

I fully agree that if someone was sharing their entire hard drive this would
be a really bad thing in terms of ability to compromise the machine. 

I just installed limewire and it defaulted my shared directory to
\limewire1.7\shared\

Do you have a way of bypassing this? Some sort of directory traversal? 

I tried searching for things like 'rundll' and came up with lots! If the
shared directory is default, are people manually changing this to C:\ ?! 

Also, not getting much luck using the 'browse host' function, it doesn't
seem to return anything.

Telneting directly to the host on TCP 6347 yielded nothing either.



-----Original Message-----
From: leon [mailto:leon () inyc com]
Sent: Sunday, September 30, 2001 2:00 PM
To: vuln-dev () securityfocus com
Subject: limewire cookie (among others) disclosure vuln


Hi everyone,

Aleph One suggested I post this here to get a more polished version for
an advisory.  Here is what I have found and I am sure most of the people
here can test this and develop it even further.  Limewire is a gnutella
file sharing client.  Due to common misconfigurations by the user,
people are sharing their whole harddrives.  This means you can do
everything from downloading someone's quicken data file (quicken is a
money management program) to downloading cookies off peoples hard
drives.  Who cares about the cookies you say?  Well I have found cookies
from certain sites that contains people user name & password stored in
clear text.  I am sure with enough testing you could figure out a way to
dump the sam file off an NT box or etc etc.


Anyone who wants to run with this great I would just appreciate if you
do further the research you let me know what you find.

Cheers Vuln-Dev,

Leon

ps: sorry for screwing up the packet capture on the aol im 0-day post.