Friday, October 03, 2003

Earth Station Five Back Door

On 28 Aug I reported on Earth Station Five. I just read this post claiming a back door of sorts in ES5's peer-to-peer file sharing client. From the post:

"There exists malicious code in ES5.exe's 'Search Service' packet handler. By sending packet 0Ch, sub-function 07h to the 'Search Service''s IP:Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. '..\..\..\WINDOWS\NOTEPAD.EXE'), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders.

IMPORTANT: This is not a bug! They intentionally added this code to ES5. . . There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional."

If anyone knows more about this, please email me at blog at taosecurity dot com. Thanks to the new ticker at left for this scoop.

Update: I learned of ES5's response by reading this Slashdot thread. ES5 claims the function exists to allow remote upgrades of their client.