LIMEWIRE SECURITY AND PRIVACY
Vulnerability 01: Inappropriate Handling of "resource get" requests.Symptom:A remote attacker can request and read any file on a host running an affected version of LimeWire. Gnutella "push style" requests also vulnerable under most conditions. The files accessible to a remote attacker include all of the user's private, local files, and any file on the machine if the user has administrator privileges.
Versions affected:LimeWire versions 4.1.2 - 4.5.6, inclusive.
Details: The handling of "resource get" requests is the immediate cause of the problem. A request of the form "/gnutella/res/[filename]" returns the named file. For example, one can telnet to a LimeWire client (default port 6436) and type the following text:
GET /gnutella/res/C:\Windows\win.ini HTTP/1.1(with two trailing newlines)
The result is that the LimeWire client reads the file "C:\Windows\win.ini" and sends it over the network. Similarly, the attacker may request "/gnutella/res//etc/passwd" on Linux or unix-based machines. This attack has been tested and confirmed on Linux and Windows 2000 platforms.
Remedies: This problem has been fixed in the recently released LimeWire versions 4.6.0 and later, which were released promptly by Lime Wire LLC after we informed them of the vulnerability.