Diese Meldung steht auf diversen Seiten (Slyck, Zeropaid).

"ES5 info

EarthStation 5 (aka ES5, aka ESV) (http://www.earthstation5.com and http://forums2.es5.com/) is a P2P application first released about 6-12 months ago. The people behind ES5 claim that ES5 is the most secure P2P software in the world. They also claim that they are security experts, and that they have more than 15 million simultaneous users on-line 24/7. In comparison Kazaa, the most popular P2P application, only has about 4 million simultaneous users on-line at any given time of day.
Malicious code

There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IPort, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "......WINDOWSNOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windowssystem32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C:BOOT.INI file which is a required boot file used by ntldr.

IMPORTANT: This is not a bug! They intentionally added this code to ES5.
Vulnerabilities

There also exists a lot of other vulnerabilities in ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem to be unintentional. Another advisory may have more info on these vulnerabilities, but I'm not their beta tester so don't hold your breath.
Conclusion

The people behind ES5 have intentionally added malicious code to ES5. If you have followed the ES5 discussions on message boards and read what the ES5 people have said and done (eg. DoS attacking BitTorrent sites), this comes as no surprise. The question then is "why did they do it?" I'm sure they won't tell us, but here's a theory: They could be working for the RIAA, MPAA, or a similar organization. Once they have enough users on their ES5 network, they would start deleting all copyrighted files they own which their users are sharing. The users wouldn't know what hit them.
Tested ES5 builds

ES5 build 1266

ES5 build 2180 (latest version)
MD5 sums of files

MD5 sum (using RFC 1321 source code) of tested files (just in case the ES5 people will remove the malicious code w/o changing the build number)

e35838ef6668abe883344e3a7e734794 *es5beta1266.exe
ce44a1f0542b9132f2debd9866febc65 *es5beta2180.exe
373c30ba0e8b1dce05dcab2acce94a77 *es5_build1266.exe
915de0f8e72be40bf071a86bc9dc2626 *es5_build2180.exe

2,244,663 es5_build1266.exe (ES5.exe - build 1266)
2,347,063 es5_build2180.exe (ES5.exe - build 2180 - latest version)
4,436,309 es5beta1266.exe (ES5 installer - build 1266)
4,553,325 es5beta2180.exe (ES5 installer - build 2180 - latest version)

The official ES5 installer download URL is http://download.es5.com/es5beta.exe , but check its MD5 sum before installing it in case they changed it.
Credits

me for discovering it (randnut@yahoo.com)
Exploit code

Go to http://www.geocities.com/esvuln to download the exploit binary if you don't want to compile it yourself.

Source code to esv ("ExpoitStation 5" or "EarthStation Vulnerabilities", you decide) but first a little FAQ..."
http://lists.netsys.com/pipermail/fu...er/011339.html

Aber ich weiß nicht was "malicious" heißen soll, so verstehe ich nicht genau was das ist und worin die Gefahr für die User liegt..

Werbung

Malicious bedeutet bösartig, mit übler Absicht.

Na ich würde sagen, dass das für User doch von Nachteil wäre, wenn
man ihnen die Boot-Ini löschen könnte.

Diese Meldung von zeropaid.com entspringt dem Kleinkrieg zwischen den ES 5 - Leuten und Zeropaid.....

Jedenfalls lässt sich dazu einiges im ES 5 Forum nachlesen; unter dem Strich kann aber festgestellt werden, daß mit der neuen Version (derzeit erst noch auf nur auf englisch) 1.3 dieser remote - FUnktion ausgeschaltet wurde.....


also kein Problem mehr. ES 5 ist mit ohne Zweifel das sicherste Filesharing Tool im Moment, was genau aus diesem Grund von vielen Konkurrenten und RIAA (etc) daher versucht wird kaputt zu schreiben.....