remote exploit in soulseek p2p client published

I’ve long wondered when we’d see more P2P client attacks; I mean really, thousands of clients always-on and accepting traffic through the network?

Seems my P2P network of choice, SoulSeek, has an exposed vulnerability in the client app since at least July 2008. Pretty nifty! The software accepts and processes queries for your shared files. Seems this query length isn’t handled properly.

Just think, I could continue to be using rootable software for years if not for some measure of full disclosure. Pah.

I like SoulSeek and have used it for about 6 years now as my primary music exposure tool, although I am open to new places since my searches are not always as successful as they used to be. What’s more, there has not been a whole lot of movement from SoulSeek developers or the community in quite some time, although the forums still have a trickling of activity. It is not surprising that the exploit author was getting no response. I’ve had the feeling in the past year that this is a bit of a headless beast anymore.

Of note, the exploit author mentions using a Python-based SoulSeek client. This probably means there is plenty of documentation on what SoulSeek does and how to interact with it.