Your Ad Here Your Ad Here
Results 1 to 3 of 3

Thread: Soulseek P2P Application Vulnerable to Remote Takeover

  1. #1
    VinX's Avatar ▄ █ ▄ █ ▄ █ ▄ BT Rep: +5
    Join Date
    Dec 2008
    No Where
    Soulseek P2P Application Vulnerable to Remote Takeover

    Soulseek is one the greatest music sharing networks that most people have never heard of, with a particular specialty in electronic music. Unfortunately, for nearly a year those using versions of the official client have been exposed to a highly critical vulnerability which can leave them open to remote takeover.

    Soulseek, created by former Napster programmer Nir Arbe, is a lessor known file-sharing network/application. Although files of any type can be shared, its specialty lies in the diverse independent music to be found within - for electronic music lovers Soulseek an absolute goldmine. But it’s not all good news. In July 2008, security researcher Laurent Gaffié found a bug in two of the latest versions of the official software - Soulseek 157 NS & 156. The problem was so serious he informed the Soulseek developer on 3rd September 2008. Unfortunately, Laurent heard nothing back so on 14 October 2008 he contacted the developer again. He appears to have been ignored. On 16 May 2009 Laurent tried again to contact the Soulseek team - yet again he had no response so decided to reveal his findings.

    Last edited by Skiz; 06-01-2009 at 09:40 AM. Reason: fixed returns....again

  2. News (Archive)   -   #2
    Funkin''s Avatar home skillet BT Rep: +4
    Join Date
    Apr 2008
    Well that's good news that you can be safe from this just by switching to Nicotine +. I've been using it ever since I switched to Linux about a year or so ago, and there's really no differences from the Soulseek client, so people shouldn't be afraid to switch.

  3. News (Archive)   -   #3
    beshawn's Avatar The Unseen
    Join Date
    Jan 2009
    For those who want the original source: (yes I know there's a link to this blog in the posted source)

    I saw this on the 27th @ I just forgot to post about it here.

    This exploit has already been fixed server-side (no need for a client update).

    "There's a number of us monitoring this sort of thing and we all seem to have heard about it in the last two days. I'm not doubting mr. Laurent Gaffie had tried contacting us in the last year, but none of us had intercepted any communication of the sort. Anyway, not restricting search packet length is definitely an oversight on my part. There's a limit on general packet length but I can see how that wouldn't be sufficient. I've placed a 256 character limit on all manners of search (distributed, room, userlist) on both the old and new servers. This needs only be done server-side and doesn't require a client update. I hope this should effectively plug the security hole, but will keep looking for any further signs of vulnerability. Thanks, Nir"

    Last edited by beshawn; 06-01-2009 at 02:16 PM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts