Soulseek P2P Application Vulnerable to Remote Takeover
Written by enigmax on May 30, 2009Soulseek is one the greatest music sharing networks that most people have never heard of, with a particular specialty in electronic music. Unfortunately, for nearly a year those using versions of the official client have been exposed to a highly critical vulnerability which can leave them open to remote takeover.
Soulseek, created by former Napster programmer Nir Arbe, is a lessor known file-sharing network/application. Although files of any type can be shared, its specialty lies in the diverse independent music to be found within – for electronic music lovers Soulseek an absolute goldmine. But it’s not all good news.
In July 2008, security researcher Laurent Gaffié found a bug in two of the latest versions of the official software – Soulseek 157 NS & 156. The problem was so serious he informed the Soulseek developer on 3rd September 2008. Unfortunately, Laurent heard nothing back so on 14 October 2008 he contacted the developer again. He appears to have been ignored. On 16 May 2009 Laurent tried again to contact the Soulseek team – yet again he had no response so decided to reveal his findings.
So what exactly is the problem? First of all it’s necessary to understand a little about how the Soulseek search works. When a user searches for an MP3 via their contact list or on a Soulseek IRC channel, their Soulseek client sends the query to the Soulseek server. The server then sends a distributed search query on the whole channel.
Laurent told TorrentFreak, “The P2P Soulseek bug is critical because of the nature of the bug. It appears when you send an overly long search request to the server, and it redirects it directly to everyone without checking the length of the request, then a memory corruption happens in every client that received this query.”
“By corrupting the Soulseek memory it becomes possible to control the program memory flow and redirect it anywhere you want,” Laurent explained. “In this case, you redirect the program to a shellcode you’ve placed in the memory and then code execution occurs. The problem with this type of “buffer overflow” is the nature of it, it’s a SEH overflow (Exception Handler) which will work on most Windows platforms.”
Laurent told TorrentFreak that there is no need to have any interaction with a targeted channel or user, it’s just possible to log on and send the distributed search. This makes the Soulseek vulnerability perfect for a very fast spreading worm scenario.
“I’ve released a very limited proof of concept, to avoid scripts-kiddies problem on the Soulseek network,” notes Laurent, “but this doesn’t avoid a worm scenario, because this binary protocol is not so hard to reverse.”
Apart from being a perfect scenario for a fast spreading worm or mass Soulseek client exploitation, Laurent told us this attack can be used to remotely control any machine connected to the Internet with a Soulseek client. Let’s hope the Soulseek team take notice and get this fixed.
In the meantime, worried Soulseek users can avoid this vulnerability by ditching the official client and using the Python Nicotine Plus client instead.
Previously: Downloading 3322 Copyrighted Movies is Okay in Spain
Next: Panera Bread’s Evil Torrent Filter





54 Responses
FIRST
I NEED A LAWL
Soulseek sucks ;D
Awww, c’mon soulseek was the stuff.
I hope the devoloper’s fix it soon.
God, people are so predictable. You just knew someone would respond with a comment like:
Umm..it sounds kinda intentional. :o
Typo in the first line, it should be “is one of the greatest” not “is one the greatest”
F,I.R,S.T, !!! !!! !!! !!! !!! !!! XD
not first – fail.
Pity I dont know more about how this works or how to “play” with this exploit or…
I would simply order all compromise clients hit riaa, sony, mpaa, ifpi etc sites at specific times for one hour or so each, everyday till this client is patched ;)
If someone does use this idea, no need to give me credit, its not copyrighted either :D
old frackin news thanks for the speed on this one gonzalis
Sounds like the quickest fix for the bug is to limit the string length rebroadcast by the server. No update required.
That’s Me.
lol at #8
Heard of Soulseek, but never really thought to use it, Bittorrent FTW?
P U R P L E
Credit to you Laurent Gaffié. Thsnks for notifying users of the vulnerability.
… could act as the in-sole!! lol
Come and join the short and easy game mybrute:
http://burpnassker.mybrute.com
I think all “First!!!!” post should be deleted. Such an annoyance.
That’s unfortunate, I kind of like soulseek. Oh well.
The first rule of [] is you do not talk about [].
The second rule of [] is YOU DO NOT TALK ABOUT [].
[] rules, fck BitTorrent. ;)
P.S. Cheers for the info!
Nooooooooooooooooooooooooooooo!! We’re gonna get a massive n00b flow that’s gonna ruin the soulseek spirit now…. Noooooooooooooooooooooooo!!
soulseek – belch, fart, puke.
We already received a massive newb flow after Audiogalaxy closed or shut down or whatever.
There used to be a time in Slsk’s history when searches for mainstream shit music would turn up 0 results.
It’s still the best for rare music (other than things that can be found on specialized networks) but it’s been newb friendly since the end of 2002.
The funny thing is you just brought this to the attention of dozens of ‘hackers’.
This is part of why I don’t run Windows.
Free software is ftw.
I already cracked the “protection” against using this for only the test user. Really easy.
SoulSeak will be exploited within hours lol :)
Programmers that don’t listen to warnings over and over deserve to have their software hacked and exploited by hackers.
Credibility and trust goes out the window. ;)
its not easy being a dev. they tend to be antisocial, so getting a response is hard nuff.
heh i and i thought most other users that have or do use slsk use nicotine plus
and yea its definately a great source for rares just like AG used to be(i was one of the newbs that moved when it shut down)
This situation is just like a Dutch proverb: “Wie niet horen wil, moet voelen.” (roughly translated: “Who don’t (want to) listen, must be/will hurt.”
The proverb means when someone don’t listen to wise advice, he’ll have to face with the consequences.
I hope for the SLSK-users SLSK will be patched soon.
yes #27, the soulseek dev has a rep for being hardheaded, a rep which he has again confirmed and added to.
this is one of the reasons why people should not make themselves dependent on and vulnerable to closed-source software. this could have been fixed in five minutes, it is just ridiculous that it was not.
there is really no reason why an elite electronic music community could not use some better software such as gnutella or dc++, except for inertia and the belief that the software is what makes the community.
Why is it that almost every damn time I hear about a software vulnerability, it’s always done by buffer overflow.
With how ungodly often I hear about it, you’d think that programmers would start taking special precautions to make sure it doesn’t happen.
Well it’s not that simple, in thousands or millions of lines of code there always will be flaws, is like writing a book if you do write a big text then you will get errors in it.
But one big advance in programming may be the graphical interface programming like “scratch” from MIT that use a lego type of construction to show people how things connect that should take care of logical errors that are difficult to visualize.
In the future I hope “writing” code will be like using punched cards to code.
And better debugging tools people don’t see how a stack works and it’s a very simple concept it would be wonderful to see a stack getting used much like we can visualize sound levels, or see memory as a visual representation when the program is running but that is for the future cause right know those tools don’t exist.
@30
‘Well it’s not that simple, in thousands or millions of lines of code there always will be flaws, is like writing a book ‘
which’s all about spelling and grammar and stuff, like you have to write it right, at least most of the times.
@10
I like how you think mate. ^^
@32:
Yep, that is why people pay people to revise their work after they finish writing at least those who can afford to do it which I think soulseek can’t because it’s not opensource it’s a closed source app.
Oops!
@34
Yep, the key word being “most” of the time and that is why people pay other people to revise their work after they finished writing, at least those who can afford to do it which I think Soulseek can’t because it’s not opensource, it’s a closed source app.
Sounds FABuLoUs darling !
I can’t download anything from Soulseek anymore, it’s ruined.
looks like it as been patched today !
http://forums.slsknet.org/ipb/index.php?s=&showtopic=24110&view=findpost&p=270519
Maybe having an email like security@slsknet.org would avoid this kind of situation !
Using spotify now, and happy.
But I remember the soulseek days as a slow, but exciting pleasure in a not to distant past. Funny how quick-fast things change lately. Makes me think of Terence McKenna and his singularity concept.
yay fixeded!11
F
I
R
S
T
!
!
!
!
With how ungodly often I hear about it, you’d think that programmers would start taking special precautions to make sure it doesn’t happen.
http://pdfstack.com/
all i can say is, that everyone pays …
http://rockimg.com/share-22F0_4A244FF7.html
let us know if there’s update thx
Fake patch !
Still works !
http://forums.slsknet.org/ipb/index.php?showtopic=24110&st=0&gopid=270684
It wasn’t a fake patch, all major avenues of search have been protected from this kind of abuse. The last remaining avenue has to do with some legacy code, is harder to exploit, and likely to affect a much smaller number of users. A client will be released very soon to prevent this last contingency.
A new client as been released patching this issue according to the changelog file : http://slsknet.org/changelog.html
Also it seems that you can still exploit this security hole by sending directly a search query to another peer using another soulseek version than 157 NS 13e
A new client as been released patching this issue according to the changelog file : slsknet.org/changelog.html
Also it seems that you can still exploit this security hole by sending directly a search query to another peer using another soulseek version than 157 NS 13e
After responding to a worried user last week on the SLSK forum that he should not use the buggy Windows client software any more until a fix was released, I found out the entire topic had been deleted!
The lame developers just do not respond to security reports for almost a year, and only after researcher Laurent Gaffié goes public on FD they suddenly wake up and fix their app.
Way to go guys.
It’s fixed. The first patch was on the server side, the remaining issue on the client side is now also patched, so, “updateslsk”, you’re wrong. And “/usr/local/dick”, as explained, the topic was make invisible as suggested by the Laurent Gaffié.
http://forums.slsknet.org/ipb/index.php?showtopic=24181
Edit:
the topic was made invisible as suggested by Laurent Gaffié.
It’s visible again.
http://forums.slsknet.org/ipb/index.php?showtopic=24110
1 references to this post
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.