Results 1 to 3 of 3

Thread: Edonkey/overnet Plugins

  1. #1
    vampiro's Avatar Weeeeeeeeeeeeeeeeeee
    Join Date
    Apr 2003
    Posts
    163
    got this through an internal email from a security guy a work

    I have concearns about the Plugin arhcitechture and the power given to
    all
    the devs out there and possible end user harm. I am writing the FastTrack
    plugin for Edonkey/Overnet and during this process have realized that this
    is by far the worst and most insecure plugin architechture I have ever
    seen
    in my life. Here is a short list of what they have given 1.14 million
    users(currently online) to have done on their machine if they are to
    download an "bad" plugin.

    1. Local code execution
    2. Unlimited disk access
    3. Unlimited sockets access
    4. Code propogation through the client over the networks
    5. Basically anything you can imagine in the world that can be done to
    a
    windows os machine.

    Why?
    Good question, I have been working on plugin systems suchs as giFT and
    Windows Media for quite a while and while they can do some neat things,
    this kind of behavoir cannot happen because of the way they were
    architechted. When I think of "plugins" I think of 1. An sdk.
    2. Methods
    that you create that the "client" listens for. 3. All code in
    the plugin is
    sent to the "client" not the OS level. 4. Mainly COM (this plugin
    uses full
    use of C++/MFC in a DLL)

    Where did MetaMachine(Edonkey/Overnet) mess up?
    All code in the plugins CAN route to the "client" but they mainly
    pipe to
    the windows subsystem thus enabling for anything to be written and can
    then
    pipe back into the application on a low level code basis and take control.
    Besides these factors what about code signing or some sort of key schema
    at
    best to keep these plugins mostly legit?

    What could happen if malicious plugin is made available?
    I leave it up to your imagination.

    What is the worst thing that could be of possibility?
    Someone could write a legit plugin like "Gnutella" for example.
    It could
    work for months to come and on a set date they could dump thier virus code
    from a embedded resource and let it take control of which could be at that
    point 2 Million "clients", it could be one of the largest DDoS
    we could
    ever see or even worse, it could spout out like MSBlast or worse...

    I have created some code as seen here(like i said it can really do anything
    you imagine):

    /* This would be the main call done by the "client"
    * so the best place for our test */
    void CProtocolplugin::start()
    {

    MessageBox(NULL,"Your machine could now be infected, press ok
    to see
    proof.","OPPS!",MB_OK | MB_ICONWARNING);
    CString szFileName = "Plugins//virus.exe.txt";
    CFile file( szFileName, CFile::modeCreate | CFile::modeWrite );
    CString str = _T("This could have been a virus! - ashton");
    file.Write( str, (str.GetLength()+1) * sizeof( TCHAR ) );
    file.Close();
    ShellExecute(NULL, "explore", "Plugins", NULL,
    NULL, SW_MAXIMIZE);

    ShellExecute(NULL,"open","notepad.exe","Plugins//virus.exe.txt","",SW_SHOW
    );
    MessageBox(NULL,"I just wrote a text file to your plugins dir,
    opened
    explorer to it and\nopened the .txt file, image if I was a virus writer.
    :
    -)","OPPS!",MB_OK | MB_ICONWARNING);


    }

    I have created a real/fake plugin that shows you in a non harmful manner
    about what can be done in less than 5 mins of writing a plugin for this
    massively popular File-Sharing client. You may get it here:
    http://64.78.56.209/Fake_FastTrack.zip
    Just unzip into the Plugins folder
    and run Edonkey/Overnet to see it in action then just quit and delete it
    when done.

    -Julian Ashton

  2. File Sharing   -   #2
    skelley521's Avatar puter ghost
    Join Date
    Feb 2003
    Posts
    758
    Sounds true and he does bring up a good point, but when the virus is activated Symantec's Corporate Anti-virus w/ real time protection should detect it when the application is initiated.

  3. File Sharing   -   #3
    This is what happened to another guy on another forum I know...
    Quote
    Ok...let me preface this by saying this is not accusing ANYONE of putting malicious code into edonkey2k/emule, whatever. This is one arseholes observation (albeit an mcse, ccne, cca, ase - doing the observation).

    I came home the other day to find my entire network without internet. No pings getting out, no dns, etc. Checked the firewall (cisco pix 506) and look at the kiwi syslog only to find my edonkey puter slamming every last bit of bandwidth available. Figured...must be my bad, so I check the upload limit and it is set at 12KB up and 0 (max) down. Now, my statistics and network usage were showing over ~28KB up (only got 256kb upstream). Fire up network observer and same thing...about 28KB upstream. Then check the one user who is "hogging" my upstream so rudely and the name....get this...."AllUrBandwidthrBelong2me" or some bastardized version of it. Now Mr. Bandwidth here was helping himself to some of my finer pr0n selections and doing quite well as all other ppl connected were getting like .1K up. Yah, I know I should have tried to trace his ip, but while there is crap running down your leg, one doesn't think straight.

    Upon cleaning out my shorts, and disabling my lan connection all seemed well. Rest of the network came back, internet OK and other traffic came back. Now this may just be a "you are full of shiat" type scenario to some and I don't really care what is said. All I ask is that you watch your upload stream very carefully as I thinks a few l33t hax0rs out there have figured out the cracked donkey .dll that is in your plugin directory (if you have it). Again this is on me for putting a "crack" into a known working program.

    I assume the flaming will begin here, but I only bring this up to alert others to the possiblility of this happening. I have seen the other threads here and others have voiced similar concerns. To fix the problem I have done a bit of "traffic shaping" as it were on mr. firewall to limit bandwidth to my internal edonkey machine. Take this for what it is; just a possiblility there are some very smart kiddie scripters out there.

    Good luck and try not to piss on the messenger...
    End Quote

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •