Soulseek P2P Application Vulnerable to Remote Takeover

[VinX]

Soulseek P2P Application Vulnerable to Remote Takeover

Soulseek is one the greatest music sharing networks that most people have never heard of, with a particular specialty in electronic music. Unfortunately, for nearly a year those using versions of the official client have been exposed to a highly critical vulnerability which can leave them open to remote takeover.

Soulseek, created by former Napster programmer Nir Arbe, is a lessor known file-sharing network/application. Although files of any type can be shared, its specialty lies in the diverse independent music to be found within - for electronic music lovers Soulseek an absolute goldmine. But it’s not all good news. In July 2008, security researcher Laurent Gaffié found a bug in two of the latest versions of the official software - Soulseek 157 NS & 156. The problem was so serious he informed the Soulseek developer on 3rd September 2008. Unfortunately, Laurent heard nothing back so on 14 October 2008 he contacted the developer again. He appears to have been ignored. On 16 May 2009 Laurent tried again to contact the Soulseek team - yet again he had no response so decided to reveal his findings.


Source:http://torrentfreak.com/soulseek-p2p...keover-090530/

[Funkin']

Well that's good news that you can be safe from this just by switching to Nicotine +. I've been using it ever since I switched to Linux about a year or so ago, and there's really no differences from the Soulseek client, so people shouldn't be afraid to switch.

[beshawn]

For those who want the original source:
http://g-laurent.blogspot.com/2009/0...ed-search.html (yes I know there's a link to this blog in the posted source)

I saw this on the 27th @ http://seclists.org I just forgot to post about it here.

This exploit has already been fixed server-side (no need for a client update).

"There's a number of us monitoring this sort of thing and we all seem to have heard about it in the last two days. I'm not doubting mr. Laurent Gaffie had tried contacting us in the last year, but none of us had intercepted any communication of the sort. Anyway, not restricting search packet length is definitely an oversight on my part. There's a limit on general packet length but I can see how that wouldn't be sufficient. I've placed a 256 character limit on all manners of search (distributed, room, userlist) on both the old and new servers. This needs only be done server-side and doesn't require a client update. I hope this should effectively plug the security hole, but will keep looking for any further signs of vulnerability. Thanks, Nir"

Source: http://forums.slsknet.org/ipb/index.php?showtopic=24110