Welcome to P2PNET.net - The original daily p2p and digital news site. Always First!
Register | Login
RIAA News
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
TV
Open Source
Mobiles
Advertising
Product News
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Search: 
Search
 
Web P2PNET   
   Search: 
Search
Torrent Site Tracker
MP3rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code
p2pnet - rss feed: http://p2pnet.net/p2p.rss | p2pnet celebrities: http://p2pnet.net/celeb.rss | Mobile? http://p2pnet.net/index-wml.php

MUTE flaw report

p2p news / p2pnet: Secunia is reporting a low-level, non-critical flaw in Jason Rohrer’s MUTE p2p file sharing application which, "potentially can be exploited by malicious people to bypass certain security restrictions," says the site.

"This came up about a month ago," Rohrer told p2pnet. "I don’t have a grudge against the guy - I was just surprised to see such a minor issue show up on a security site."

In a media release, "This issue, though not terribly serious, is well known," says Rohrer, who wrote the script for the Patti Santangelo Fight Goliath campaign.

"The problem will be fixed in the next release by changing MUTE to ensure that it has a pool of possible hosts from a number of web caches before it randomly picks from that pool.

"This vulnerability could only be exploited if the attacker was running a MWebCaches. The attacker wouldn’t be able to ‘flood’ a legitimate web cache with attacker nodes.

"Why? Because the MWebCache software itself prevents nodes from posting themselves repeatedly. Thus, an attacker’s nodes could be listed on a legitimate web cache, but other non-attacker nodes would also be listed on that cache. If an attacker runs her own ‘fake’ MWebCache, however, then she could fill it however she chooses."

Rohrer says the vulnerability isn’t serious because MUTE has social safeguards in terms of how users learn about new MWebCaches. "The primary way that they learn about these caches is through the MUTE website itself, where the latest MWebCaches are posted," he says.

"Yes, it would be easy for an attacker to set up a fake MWebCache, but it would be somewhat harder for that attacker to get that cache accepted by the MUTE user community."

But, "Somewhat harder" isn’t bullet-proof, "and that’s why the issue will be dealt with in the next release," he adds.

The secunia report says a, "design weakness in the MUTE client causes it to select hosts to connect to based on 10 random hosts that are retrieved from a single mWebCache. This can potentially be exploited to cause MUTE to connect to malicious hosts if the mWebCache has been populated with addresses of malicious hosts. Successful exploitation discloses the identity of the MUTE client."

Also See:
non-critical flaw - MUTE P2P File Sharing Host Selection Weakness, February 23, 2006

This entry was posted on Thursday, February 23rd, 2006 at 2:11 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1587 times

« previous Switched off computer, computes
Worried? Try an encrypted bubble next »

Leave a Reply
    Advertisments
Teksavvy