COMMAND

    Knapster

SYSTEMS AFFECTED

    Knapster 0.9 and prior

PROBLEM

    This vulnerability was discovered at the Center for Education  and
    Research in Information Assurance and Security (CERIAS) at  Purdue
    University by Tom Daniels, Florian  Buchholz and James Early.   It
    was tested under Intel PII-based System, Linux RedHat Version  6.2
    (may apply to all OS's running knapster) and KNapster Version  0.9
    (and probably earlier).

    Knapster  is  an  open  source,  independent implementation of the
    Napster protocol  client.   It is  written to  conform to  the KDE
    windowing environment.

    It is  possible for  anyone to  obtain any  user-readable file  by
    sending a  properly formed  "GET" command  that contains  the full
    path  of  the  file.  This  vulnerability  exists because knapster
    fails to  check that  the requested  file is  an explicitly shared
    MP3 file  before providing  it.   This is  the same  vulnerability
    described in

        http://oliver.efri.hr/~crv/security/bugs/Others/gnapster.html

    but in knapster instead of gnapster.

    Anyone running knapster version 0.9 or less is vulnerable.   Given
    the IP address  and TCP port  of a vulnerable  client, an attacker
    can send a request for  an arbitrary file to the  knapster client.
    If the  user has  read access  to the  file, the  client will then
    respond with the contents of the file.

SOLUTION

    Program's author  promptly created  a new  version which addresses
    this vulnerability.  The fix  simply checks that a requested  file
    is  in  the  list  of  shared  files.   The current version can be
    downloaded from:

        http://knapster.netpedia.net/#DOWNLOAD

    For FreeBSD:

        1) Upgrade  your  entire  ports  collection  and  rebuild  the
           knapster port.
        2) Reinstall a  new package dated  after the correction  date,
           obtained from:
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/knapster-0.10.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/knapster-0.10.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/knapster-0.10.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/knapster-0.10.tgz
               ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/knapster-0.10.tgz
        3) download  a  new  port  skeleton for the  gnapster/knapster
           ports from:
               http://www.freebsd.org/ports/
           and use it to rebuild the port(s).
        4) Use the portcheckout utility to automate option (3)  above.
           The     portcheckout     port      is     available      in
           /usr/ports/devel/portcheckout  or   the  package   can   be
           obtained from:
               ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz