Vulnerability 01: Inappropriate Handling of "resource get" requests.

Symptom:A remote attacker can request and read any file on a host running an affected version of LimeWire. Gnutella "push style" requests also vulnerable under most conditions. The files accessible to a remote attacker include all of the user's private, local files, and any file on the machine if the user has administrator privileges.

Versions affected:LimeWire versions 4.1.2 - 4.5.6, inclusive.

Details: The handling of "resource get" requests is the immediate cause of the problem. A request of the form "/gnutella/res/[filename]" returns the named file. For example, one can telnet to a LimeWire client (default port 6436) and type the following text:

GET /gnutella/res/C:\Windows\win.ini HTTP/1.1
User-Agent: I-AM-AN-ATTACKER/1.0
Accept: */*
Connection: Keep-Alive

(with two trailing newlines)

The result is that the LimeWire client reads the file "C:\Windows\win.ini" and sends it over the network. Similarly, the attacker may request "/gnutella/res//etc/passwd" on Linux or unix-based machines. This attack has been tested and confirmed on Linux and Windows 2000 platforms.

Remedies: This problem has been fixed in the recently released LimeWire versions 4.6.0 and later, which were released promptly by Lime Wire LLC after we informed them of the vulnerability.

Computer Science Department
Cornell University