Vulnerabilities > CVE-2000-0412 - Unspecified vulnerability in Napster Knapster Napster

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
napster
nessus
exploit available
NVD
Published: 1999-05-01
Updated: 2008-09-10

Summary

The gnapster and knapster clients for Napster do not properly restrict access only to MP3 files, which allows remote attackers to read arbitrary files from the client by specifying the full pathname for the file.

Vulnerable Configurations

Part Description Count
Application
Napster
1

Exploit-Db

descriptionJohn Donoghue Knapster 0.9/1.3.8 File Access Vulnerability. CVE-2000-0412. Remote exploit for unix platform
idEDB-ID:19905
last seen2016-02-02
modified2000-05-13
published2000-05-13
reporterno_maam
sourcehttps://www.exploit-db.com/download/19905/
titleJohn Donoghue Knapster 0.9/1.3.8 File Access Vulnerability

Nessus

NASL familyPeer-To-Peer File Sharing
NASL idGNAPSTER_GET_FILE.NASL
descriptionAn insecure Napster clone (e.g. Gnapster or Knapster) is running on the remote computer, which allows an intruder to read arbitrary files on this system, regardless of the shared status of the files.
last seen2020-06-01
modified2020-06-02
plugin id10408
published2000-05-12
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10408
titleGnapster Absolute Path Name Request Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(10408);
 script_version ("1.26");

 script_cve_id("CVE-2000-0412");
 script_bugtraq_id(1186);

 script_name(english:"Gnapster Absolute Path Name Request Arbitrary File Access");
 script_summary(english:"Detect the presence of a Napster client clone");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has a P2P file sharing application installed." );
 script_set_attribute(attribute:"description", value:
"An insecure Napster clone (e.g. Gnapster or Knapster) is running on
the remote computer, which allows an intruder to read arbitrary files
on this system, regardless of the shared status of the files." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/May/132" );
 script_set_attribute(attribute:"solution", value:
"If this is Gnapster, upgrade to version 1.3.9 or later, as this
reportedly fixes the issue." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2000/05/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/05/10");
 script_cvs_date("Date: 2018/11/15 20:50:24");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Peer-To-Peer File Sharing");
 script_require_keys("Services/napster");
 script_require_ports("Services/napster", 6699);
 script_dependencies("find_service1.nasl");
 exit(0);
}

#
# The script code starts here
#

 port = get_kb_item("Services/napster");
 if (!port) port = 6699;

 if (get_port_state(port))
 {
  soc = open_sock_tcp(port);
  if (soc)
  {
    r = recv(socket:soc, length:1024);
    send(socket:soc, data:"GET");
    str = string("Nessus ", raw_string(0x22), "\\etc\\passwd", raw_string(0x22), " 9");
    send(socket:soc, data:str);
    r = recv(socket:soc, length:4096);
    if("root:" >< r)
    {
     security_hole(port);
    }
    close(soc);
  }
 }

References