A Cornell research group has discovered serious vulnerabilities in a widely-used peer-to-peer file-sharing program. The weakness in LimeWire, a popular client for the Gnutella file-sharing network, would allow an intruder to read any file on a computer running the program, including confidential information and some password files. The problem occurs in both the free and paid versions of the program, in all operating systems.
As soon as members of his research group noticed the problem, Emin Gun Sirer, Cornell assistant professor of computer science, immediately notified Lime Wire LLC, the company that distributes the software. “Lime Wire responded immediately and had a patch ready within a few hours,” Sirer reported, adding that the company needed several days to get the patches out to all of the 36 million people who had downloaded the program. LimeWire automatically posts a notice of the need to install a patch when it is turned on. Patches are available for all versions except those that run on classic versions of the Mac OS, and the company is working on that, Sirer said.
The most serious vulnerability affects LimeWire versions 4.1.2 through 4.4.5. It enables intruders to connect to a computer even through a firewall. A second vulnerability affects versions 3.9.6 through 4.6.0, but can be stopped by a firewall. The latest, corrected version of the program is version 4.8.0; on the Mac platform, the latest corrected version is 4.0.10.
Both vulnerabilities can be exploited without any special tools, Sirer said, through an ordinary telnet login. Like other Gnutella clients, the LimeWire program is designed to allow users to download music and video files shared through the Gnutella network, and also to allow the user to provide shared files to others. The glitch in the program unfortunately allowed remote users to retrieve other files, not just those in the user’s sharing folder.
Sirer is a specialist in peer-to-peer systems. He and graduate student Kevin Walsh discovered the LimeWire problem while working on a new application, called Credence, that is intended to work with LimeWire to give users a way to determine how trustworthy upload sites may be. “Much of the content in peer-to-peer file-sharing networks is corrupt, damaged, or mislabeled. Such polluted content makes it difficult for correctly functioning peers to locate desired content,” Sirer explained.
Credence allows users to share ratings of objects, similar to the ratings on Amazon, but with features that discourage dishonest ratings. The idea has applications to many other types of peer-to-peer networks, such as those in which distributed workers collaborate. “As systems scale bigger and there is more collaboration on the net, we are going to need systems for evaluating the statements made by peers,” he explained.
From Cornell University