• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

FastTrack P2P Technology Message Service Identity Spoofing Vulnerability

KaZaA, Grokster and Morpheus are file-sharing clients based on FastTrack P2P technologies. They will run on Microsoft Windows 9x/ME/NT/2000/XP systems. Ports also exist for variants of the Linux operating system.

It is possible for a user to craft a raw fake HTTP GET header to spoof the identity of an another existing user via the messaging service offered by vulnerable clients. The host and username in the header most both by valid for this to work.

Clients listen for messages on port 1214 by default, even when they are not actively connected to the service.

Any versions of file-sharing clients based on FastTrack P2P technologies which include the messaging functionality should be considered prone to this issue.

This is a security vulnerability because access control is based on client identities, supplied in the request headers.

Attackers may spoof their identity to exploit BugTraq ID 4122 "FastTrack P2P Technology Message Service Denial Of Service Vulnerability".