EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com
) is a P2P application first released about 6-12
months ago. The people behind ES5 claim that ES5 is the most secure P2P
software in the world. They also claim that they are security experts, and
that they have more than 15 million simultaneous users on-line 24/7. In
comparison Kazaa, the most popular P2P application, only has about 4
million simultaneous users on-line at any given time of day.
There exists malicious code in ES5.exe's "Search Service" packet handler.
By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP:Port,
a remote attacker could delete any file the user is sharing. If the remote
attacker uses "filenames" with a relative path in them (eg.
"..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete
files in eg. the windows and windows\system32 folders, or any other folder
on the same partition as any of the shared folders. Since most users using
Windows are in the Administrators group, a remote attacker could also
delete the C:\BOOT.INI file which is a required boot file used by ntldr.
IMPORTANT: This is not a bug! They intentionally added this code to ES5.
There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks,
buffer overflow bugs, and so on), but these all seem to be unintentional.
Another advisory may have more info on these vulnerabilities, but I'm not
their beta tester so don't hold your breath.
The people behind ES5 have intentionally added malicious code to ES5. If
you have followed the ES5 discussions on message boards and read what the
ES5 people have said and done (eg. DoS attacking BitTorrent sites), this
comes as no surprise. The question then is "why did they do it?" I'm sure
they won't tell us, but here's a theory: They could be working for the
RIAA, MPAA, or a similar organization. Once they have enough users on their
ES5 network, they would start deleting all copyrighted files they own which
their users are sharing. The users wouldn't know what hit them.