Soulseek P2P Application Vulnerable to Remote Takeover
Soulseek is one the greatest music sharing networks that most people have never heard of, with a particular specialty in electronic music. Unfortunately, for nearly a year those using versions of the official client have been exposed to a highly critical vulnerability which can leave them open to remote takeover.
Soulseek, created by former Napster programmer Nir Arbe, is a lessor known file-sharing network/application. Although files of any type can be shared, its specialty lies in the diverse independent music to be found within – for electronic music lovers Soulseek an absolute goldmine. But it’s not all good news.
In July 2008, security researcher Laurent Gaffié found a bug in two of the latest versions of the official software – Soulseek 157 NS & 156. The problem was so serious he informed the Soulseek developer on 3rd September 2008. Unfortunately, Laurent heard nothing back so on 14 October 2008 he contacted the developer again. He appears to have been ignored. On 16 May 2009 Laurent tried again to contact the Soulseek team – yet again he had no response so decided to reveal his findings.
So what exactly is the problem? First of all it’s necessary to understand a little about how the Soulseek search works. When a user searches for an MP3 via their contact list or on a Soulseek IRC channel, their Soulseek client sends the query to the Soulseek server. The server then sends a distributed search query on the whole channel.
Laurent told TorrentFreak, “The P2P Soulseek bug is critical because of the nature of the bug. It appears when you send an overly long search request to the server, and it redirects it directly to everyone without checking the length of the request, then a memory corruption happens in every client that received this query.”
“By corrupting the Soulseek memory it becomes possible to control the program memory flow and redirect it anywhere you want,” Laurent explained. “In this case, you redirect the program to a shellcode you’ve placed in the memory and then code execution occurs. The problem with this type of “buffer overflow” is the nature of it, it’s a SEH overflow (Exception Handler) which will work on most Windows platforms.”
Laurent told TorrentFreak that there is no need to have any interaction with a targeted channel or user, it’s just possible to log on and send the distributed search. This makes the Soulseek vulnerability perfect for a very fast spreading worm scenario.
“I’ve released a very limited proof of concept, to avoid scripts-kiddies problem on the Soulseek network,” notes Laurent, “but this doesn’t avoid a worm scenario, because this binary protocol is not so hard to reverse.”
Apart from being a perfect scenario for a fast spreading worm or mass Soulseek client exploitation, Laurent told us this attack can be used to remotely control any machine connected to the Internet with a Soulseek client. Let’s hope the Soulseek team take notice and get this fixed.
In the meantime, worried Soulseek users can avoid this vulnerability by ditching the official client and using the Python Nicotine Plus client instead.
