It turns out that the "popular" file sharing tool isn't all that meets the eye!
ES5 info
--------
EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and http://forums2.es5.com/) is a P2P application first released about 6-12 months ago. The people behind ES5 claim that ES5 is the most secure P2P software in the world. They also claim that they are security experts, and that they have more than 15 million simultaneous users on-line 24/7. In comparison Kazaa, the most popular P2P application, only has about 4 million simultaneous users on-line at any given time of day.
Malicious code
--------------
There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP : Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C:\BOOT.INI file which is a required boot file used by ntldr.
IMPORTANT: This is not a bug! They intentionally added this code to ES5.
View: Earth Station 5 Homepage
View: ES5 Declares War on MPAA, RIAA
View: Revelation on Full Disclosure Mailing List
News source: Slashdot.org
ES5 info
--------
EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and http://forums2.es5.com/) is a P2P application first released about 6-12 months ago. The people behind ES5 claim that ES5 is the most secure P2P software in the world. They also claim that they are security experts, and that they have more than 15 million simultaneous users on-line 24/7. In comparison Kazaa, the most popular P2P application, only has about 4 million simultaneous users on-line at any given time of day.
Malicious code
--------------
There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP : Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C:\BOOT.INI file which is a required boot file used by ntldr.
IMPORTANT: This is not a bug! They intentionally added this code to ES5.
View: Earth Station 5 Homepage View: ES5 Declares War on MPAA, RIAA View: Revelation on Full Disclosure Mailing List News source: Slashdot.org
First, a few notes -
1) As always, this is BETA software. As such it should never be installed on critical systems. Errors and problems are not only possible, but expected - the purpose of a BETA is to find and fix these problems before general release.
2) Windows 95, 98 First Edition, and NT are not supported AT ALL in version 4 and above. While W98 Second Edition (98SE) is supported, there may be crashes or problems due to outdated drivers (usually
video), that cannot be resolved. In case of W98SE crashes, please update your video drivers as a first step in troubleshooting.
3) If you experience TrueVector or system crashes, please email this address (Submit_Info@zonelabs.com) for specific instructions on how to prepare for and gather the information required for our developers to investigate.
4) If you experience settings issues after upgrading to this Beta version, please do the following as your first step in troubleshooting:
- Reboot into Safe Mode
- Find the Internet Logs folder, and rename it to "OLDLOGS".
- Reboot normally. All of your settings will be back at original default
install settings.
5) ** Please read the ENTIRE download page and the Readme link before downloading and installing! **"
For a "secure" P2P software...this is really bad.
Believe it or not, we all love and respect each other.
We all work and play together. Our families on many occasions eat at the same dinner table. We trust each other and are very close friends with each other. As a group, the most important thing in our life is our children, our families and love ones and of course our friends.
So ES5 is a commune?
Wouldn't surprise me if it was Malware, the "hippy coder" bit strikes me as kind of B.S.
If it's in Gaza then there is no way either jews, christians, or hindus would possibly be involved as movement across the checkpoints is all but impossible.
It might be an idea to create an emulation of the original software that can receive the types of requests documented on slahdot then leave it running simply logging messages to see what we get?
vocal critic of Eathstation5 because of a continual online insult war
between himself and some roudy Earthstation5 fans. This has motivated
him to be extremely critical of Earthstation5. We at Earthstation5
desire and request criticism at any time in fact we demand it as we
believe that is the only way to make software truly superior.
We at Earthstation5 are not perfect, but we acknowledge that Shaun
Garriok might be and thank him for helping us root out bugs.
The problem with the Earthstation5 software that Shaun Garriok found
truly exists, however the sordid motives he attributes to
Earthstation5 are incorrect. The following functions were put into
Earthtation5 to allow automatic, remote upgrade of the Earthstation5
software.
These functions are:
1) Reload Earthstation5
2) Shutdown Earthstation5
3) Delete a File
All of these functions are necessary to perform when upgrading
software.
We have long been admirers of Shaun Garriok's ability to superbly
investigate even a fully compiled program. We believe that he is
capable of finding ANY sort of trojan, worm, or bug inside a compiled
program. We are relieved that all he could find was these remote
upgrade functions. He didn't find any bugs that send user data
anywhere, no spyware, no adware, nothing in fact that gives away any
personal information about the user using Earthstation5.
It is also a fortunate fact that since Earthstation5 protects you from
the RIAA lawsuits and hackers by hiding your ip address, the exploit
program he wrote can only be used against your own computer which he
states in his exploit. If you want to delete files from your own
computer, we feel you have the right to do that.
We are glad he found this bug and pointed it out. We completely
removed the automatic software upgrade code because as it turns out
automatic upgrade is no longer popular as it once was because it gives
people an uneasy feeling and rightly so.
Since Shaun Garriok seems to be concerned about everyone's security,
and is not on a personal quest for revenge, we would be grateful if he
would download the latest Earthstation5, version 1.1.31
(http://download.es5.com/es5_v1.1.31.exe) and verify that we have
truly removed the remote update function which his exploit program
accessed. We think his dedication to the good of all concerned would
motivate him to do this. Anyone else who is concerned can do the same,
download the latest Earthstation5 and test the exploit code against
it.
Ras Kabir
Earthstation 5
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.