There’s a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users’ computers. That’s according to a researcher with Google’s Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.
Researcher Tavis Ormandy published the proof-of-concept attack code last week, along with a detailed description of the underlying vulnerability it exploited. Normally, Project Zero withholds publication of such details for 90 days or until the developer has released a fix. In this case, however, Ormandy’s private report to Transmission included a patch that completely fixed the vulnerability. The researcher went ahead and disclosed the vulnerability last Tuesday—only 40 days after the initial report—because Transmission developers had yet to apply it. Ormandy said the publication would allow Ubuntu and other downstream projects to independently install the fix.
“I’m finding it frustrating that the Transmission developers are not responding on their private security list,” Ormandy wrote in Tuesday’s public report. “I suggested moving this into the open so that distributions can apply the patch independently.”
A Transmission development official told Ars that he expected an official fix to be released “ASAP” but was not specific. He said the vulnerability was present only when users enabled remote access and disabled password protection. He said people who run the unpatched version of Transmission as a daemon should ensure they have enabled password protection.
DNS rebinding strikes again
Ormandy’s proof-of-concept attack exploits a Transmission function that allows users to control the BitTorrent app with their Web browser. The researcher said most people don’t enable password protection because they assume the JSON RPC interface can only be controlled by someone with physical access to the computer running Transmission. Using a hacking technique known as domain name system rebinding, Ormandy devised a way that the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site. He said he confirmed his exploit works on Chrome and Firefox on Windows and Linux and that he expects other platforms and browsers are also affected.
Attackers can exploit the flaw by creating a DNS name they are authorized to communicate with and then making it resolve to the localhost name of the vulnerable computer. In a separate posting publishing the patch, Ormandy wrote: A user visits
http://attacker.com, which has an
<iframe> to a subdomain the attacker controls.
- The attacker configures their DNS server to respond alternately with
220.127.116.11(an address they control) with a very low TTL.
- When the browser resolves to
18.104.22.168, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.
Among the things an attacker can do is change the Torrent download directory to the user’s home directory. The attacker could then command Transmission to download a Torrent called “.bashrc” which would automatically be executed the next time the user opened a bash shell. Attackers could also remotely reconfigure Transmission to run any command of their choosing after a download has completed. Ormandy said the exploit is of “relatively low complexity, which is why I’m eager to make sure everyone is patched.”
In a tweet, Ormandy said the vulnerability was the “first of a few remote code execution flaws in various popular torrent clients.” He didn’t name the other apps because the 90-day Window hasn’t closed yet.
While last week’s disclosure has the most immediate consequences for Transmission users, its lessons about the dangers of DNS rebinding are broadly applicable to people using a wide range of apps.
“I regularly encounter users who don’t accept that websites can access services on localhost or their intranet,” Ormandy wrote. “These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website ‘transfers’ execution somewhere else. It doesn’t work like that, but this is a common source of confusion.”