Secunia

A vulnerability has been identified in FastTrack, the technology behind Kazaa, Grokster, iMesh and possibly other P2P (peer-to-peer) network clients. The vulnerability could be exploited to cause a Denial of Service on the so called supernodes and potentially also compromise of these.

Explanation: Supernodes are clients that have a high uptime, large bandwidth, a public IP address, powerful CPU and a large amount of RAM. Supernodes keep tracks of other supernodes and of clients that are logged onto the network.

Facts: There is about 3 million supernodes, which each serves up to 300 "ordinary" clients.

Any user of a P2P client, which is based upon FastTrack, could unknowingly become a supernode (this is not necessarily true for all kinds of client software, as it may require user acceptance).

The problem is that the client acting as a supernode accepts incoming requests with information about other supernodes. The packets sent to the supernode may only contain information about 200 other supernodes. If the packet contains information about 203 or more supernodes, it may overflow the allocated buffer. This causes the supernode to crash.

It has also been reported, that this could be exploited to execute arbitrary code on the supernode with a 50% success ratio. This, however, has not been confirmed.

This vulnerability could be exploited to lay down all P2P networks based upon FastTrack.

If it is possible to execute arbitrary code on the vulnerable supernodes, then this vulnerability could be exploited by a worm or virus.

Solution
An updated version of Kazaa (2.1.1) has been released:
Further details available in Customer Area

Provided and/or discovered by
random nut

Deep Links
Links available in Customer Area