COMMAND
Gnutella
SYSTEMS AFFECTED
Gnutella users
PROBLEM
Seth McGann (Team RAZOR) found following. Remember the game
telephone? Yeah, you know...someone whispers something to you,
and you're __supposed__ to whisper that to someone else, and so
on and so on? And the guy at the end of the chain got a whisper
that sounded nothing like the original whisper. Well, Gnutella
is similar in many ways.
Gnutella is a protocol recently re-released after a brief period
with no official home. Now at a new domain and back under
official development, Gnutella is poised to revolutionize media
distribution. Along with its new method of media distribution it
provides some interesting routes for abuse. In light of the
"ILOVEYOU" worm, and general rekindling of public interest in worm
design, here is another potential vector that may soon be used by
to distribute malicious content.
Protocol overview:
Alice: A user searching for a file.
Bob: A user who has the file Alice wants.
Carl: A user who has the file Alice wants (behind firewall).
Mallory: A malicious user.
The key component of Gnutella is a piece of software dubbed a
"servent" by the designers. This servent both accepts and sends
Gnutella messages. When a user wants to join the network, he
picks a few known hosts from a seed list provided by the Gnutella
web site and connects. The user could also create a private
Gnutella network with no exterior connections (remember no
centralization). All that is needed for this subset to become a
part of the larger public GnutellaNet is a single connection:
A --> (GnutellaNet) <-- B <-- | Firewall | <-- C <-- (Other Servents)
Each servent has a unique 128-bit identifier that is used to
determine which packets should be forwarded. Discovery of hosts
is done both actively and passively. Passive discovery occurs
when Alice recovers hosts from the packets she is routing.
Active discovery occurs when Alice sends out a "ping" packet.
This ping elicits a "pong" containing the IP address and port of
every servent that receives it. Searching for content is
conducted as follows:
(1) Alice generates a "query" packet and forwards to all her
connections.
(2) Each recipient searches its local database, decrements TTL
and forwards to each of its connection.
(3) Bob receives the packet, and replies with a "query-reply"
containing his IP address and port.
(4) These packets are forwarded back along the search path
eventually returning to Alice.
(5) On receipt of the response, Alice attempts to initiate a
direct connection with Bob and transfer the file.
(6) In the event that she cannot connect for some reason
(perhaps Carl has the file instead of Bob) a
"push-request" containing Alice's IP address and port is
sent by Alice.
(7) On receipt of this packet, Carl will attempt to create an
outbound connection to Alice to transfer the file,
circumventing the firewall.
For further information on the protocol see the Gnutella homepage,
but this should be sufficient to understand the following attacks.
Self Replicating Servents
==========================
The most significant problem is that there is no way to verify the
source or contents of a message. A particularly nasty attack is
for Mallory (a servent attached to GnutellaNet in an arbitrary
location) to simply respond to all query packets. This results
spoofing attack is a known issue covered in the Knowbuddy FAQ and
is conducted as follows:
(1) Alice generates a query packet and forwards.
(2) Mallory receives one of these packets and responds with a
query-reply.
(3) If Alice decides to pick the reply provided by Mallory she
will receive potentially malicious content.
This content could be an executable containing a trojan horse,
such as BO2K. A more sinister payload would be to create a trojan
that when executed attaches to the GnutellaNet. Once attached
to the net, it would respond to all queries and provide itself as
the content. To increase the probability of Alice executing the
file, it would be renamed to something containing the original
query. For instance, a search for "crack" would elicit a reply
of "crack.zip". Other extensions could also be used besides
".zip" and ".exe". A Winamp ".pls" file exploiting an overflow
in Winamp could be used for example. With source code available
for both Windows and *nix servents, creating a self-propagating
servent is trivial. The worm could even update itself using
GnutellaNet to distribute signed updates in a manner similar to
the "wormnet" described in Michael Zalewski's in:
http://oliver.efri.hr/~crv/security/bugs/Others/worm.html
What is disturbing here is the combination of low accountability
and trust of the individual servents. In a web, ftp, or email
transaction if malicious content is discovered on a server the
administrator can be notified. On Napster, if a user is
distributing malicious content, his account can be disabled. If
removal was not possible, at the very least a warning could be
posted regarding a particular site or Napster user. With Gnutella
anyone can attach to the network and provide malicious content
tailored to specific search requests with relatively small chance
of detection. The IP address of each transaction could be
recorded, as Zeropaid has done with their listing of people
attempting to retrieve child pornography. The official servent
does not display IP addresses. In addition, Mallory only has to
infect one host and the infection will spread automatically.
Once victims begin executing the content the GnutellaNet can be
used to mask the interactions with the victims. In most
traditional backdoors, a direct connection is required between
the attacker and the victim. With Gnutella, no direct connection
is needed for a bi-directional channel.
The most obvious covert channel for controlling these rogue
servents is already being used to allow chatting among Gnutella
users:
(1) Alice and Bob both turn on their search monitors (which
display all the queries passing through them.
(2) When Alice wants to talk she searches for the chat message
("Hi Bob!").
(3) Bob will see this query appear in his monitor. He then
searches for the reply ("Hi Alice").
Another stealthier channel is the 128-bit GUID. This would allow
relatively undetectable signaling between Mallory and her rouge
servents. There are several other fields available but queries
and GUIDs are the most significant.
Man in the Middle Attacks
=========================
There are two flavors of man in the middle attacks. For these to
work, Mallory has to be in the path between Alice and Bob (or
Carl). The first attack goes as follows:
(1) Alice generates a query packet and Bob responds.
(2) Mallory receives one of these query-reply packets and
rewrites it with her IP address and port instead of Bob's.
(3) Alice receives Mallory's reply first.
(4) Alice decides to download the content but connects to
Mallory instead of Bob.
(5) Mallory downloads the original content from Bob, infects
it and passes on to Alice.
The second attack relies on push-request interception:
(1) Alice generates a query packet and Carl responds.
(2) Alice attempts to connect but Carl is firewalled, so she
generates a push-request.
(3) Mallory intercepts the push-request and resends with her
IP address and port.
(4) Carl connects to Mallory and transfers his content.
(5) Mallory connects to Alice and provides the modified
content.
Gnutella Port Scanner
=====================
If Mallory wants to check what ports on a given host are
accessible she can perform the following steps:
(1) Alice sends a query and Bob responds with a query-reply.
(2) Mallory rewrites the query-reply passing through to point
at the IP address and port to be scanned.
(3) Since most likely the port is not listening, Alice will
generate a push-request.
(4) If the port happens to be listening and is not running the
Gnutella service, no push-request will be generated.
(5) Mallory repeats the process several times to make sure she
has an accurate determination of the port's state.
Using this procedure a network can be slowly scanned using
servents. This process will generate a significant amount of
noise, which can be used to decoy another attack. Another way to
generate Gnutella noise is for Mallory to send pong packets with
the IP address of hosts she wants others to attempt to connect
to. Each servent receiving her pong will add these to its table
of potential hosts. As servents exhaust their host tables these
entries will be tried eventually resulting in spurious
connections to a given network.
SOLUTION
Gnutella is gaining popularity quickly and has already been
featured in several mass media outlets. As it stands now it
provides an almost ideal environment for the spread of
self-replicating malicious agents with the additional bonus of
providing anonymous control. With full source available, parties
previously unable to craft a worm of their own now have a robust
framework to build on. DON'T USE IT.