Vulnerability 02: Inappropriate Handling of "magnet" requests.

Symptom:A remote attacker can request and read any file on a host running an affected version of LimeWire. The attacker need only be able to connect to the LimeWire client "magnet" TCP port (default port 45100, or a port randomly chosen if 45100 is not available). Gnutella "push style" requests are not vulnerable, so a firewall that blocks access to the magnet port blocks the attack. The files accessible to a remote attacker include all of the user's private, local files, and any file on the machine if the user has administrator privileges.

Versions affected: LimeWire versions 3.9.6 - 4.6.0, inclusive.

Details: Details: The handling of "magnet" requests is the immediate cause of the problem. A request of the form "/magnet10/[rel-filename]" returns the named file, relative to the "root" subdirectory of the LimeWire installation, regardless of if it is in the "root" directory, or indeed even part of the Limewire package. For example, one can telnet to a LimeWire client (magnet handler port 45100) and type the following text:

GET /magnet10/../../../../../Windows/Win.ini?Simple-test-attack HTTP/1.1
User-Agent: Just-A-Test/0.1
Accept: */*
Connection: Keep-Alive

(with two trailing newlines). This example assumes that LimeWire is installed in "C:\Program Files\Limewire", as is the default.

The result is that the LimeWire client reads the file "C:\Windows\win.ini" and sends it over the network. Similar attacks work on Linux or unix-based machines. The attack has been tested and confirmed on Linux and Windows 2000 platforms, using several versions of LimeWire.

Remedies: This problem has been fixed in the recently released LimeWire versions 4.8.0 and later, which were released promptly by Lime Wire LLC after we informed them of the vulnerability.

Computer Science Department
Cornell University