A critical vulnerability has been discovered within the widely used Transmission BitTorrent app that will could allow hackers to remotely execute malicious code on BitTorrent users’ computers in addition to take control of them.
The vulnerability has been uncovered by Google’s Project Zero vulnerability reporting team, in addition to one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.
Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.
However, in This particular case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.
“I’m finding that will frustrating that will the transmission developers are not responding on their private security list, I suggested moving This particular into the open to ensure distributions can apply the patch independently. I suspect they won’t reply, although let’s see,” Ormandy said in a public report published Tuesday.
Proof-of-Concept Exploit Made Publicly Available
The PoC attack published by Ormandy exploits a specific Transmission function that will lets users control the BitTorrent app with their web browser.
Ormandy confirmed his exploit works on Chrome in addition to Firefox on Windows in addition to Linux (Fedora in addition to Ubuntu) in addition to believes that will various other browsers in addition to platforms are also vulnerable to the attack.
Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.
The daemon installed on the user system then interacts with the server for downloading in addition to uploading files through the browser using JSON RPC requests.
Ormandy found that will a hacking technique called the “domain name system rebinding” attack could successfully exploit This particular implementation, allowing any malicious website that will user visits to execute malicious code on user’s computer remotely with the help of installed daemon service.
Here’s How the Attack Works:
The loophole resides within the fact that will services installed on localhost can be manipulated to interact with third-party websites.
“I regularly encounter users who do not accept that will websites can access services on localhost or their intranet,” Ormandy wrote in a separate post, which includes the patch.
“These users understand that will services bound to localhost are only accessible to software running on the local machine in addition to that will their browser is usually running on the local machine—although somehow believe that will accessing a website “transfers” execution somewhere else. that will does not work like that will, although This particular is usually a common source of confusion.”
Attackers can exploit This particular loophole by simply creating a DNS name they’re authorized to communicate with in addition to then generating that will resolve to the vulnerable computer’s localhost name. Here’s how the attack works:
- A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.
- The attacker configures their DNS server to respond alternately with 127.0.0.1 in addition to 126.96.36.199 (an address controlled by the attacker) having a very low TTL.
- When the browser resolves to 188.8.131.52, that will serves HTML that will waits for the DNS entry to expire (or force that will to terminate by flooding the cache with lookups), then that will has permission to read in addition to set headers.
Ormandy said the vulnerability (CVE-2018-5702) was the “first of a few remote code execution flaws in various well-liked torrent clients,” though he did not name the various other torrent apps due to the 90-day disclosure timeline.
A fix is usually supposed to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.