The attacker could then command Transmission to download a Torrent called ".bashrc" which would automatically be executed the next time the user opened a bash shell. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.Īmong the things an attacker can do is change the Torrent download directory to the user's home directory.The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.A user visits, which has an to a subdomain the attacker controls.In a separate posting publishing the patch, Ormandy wrote: AdvertisementĪttackers can exploit the flaw by creating a DNS name they are authorized to communicate with and then making it resolve to the localhost name of the vulnerable computer. He said he confirmed his exploit works on Chrome and Firefox on Windows and Linux and that he expects other platforms and browsers are also affected. Using a hacking technique known as domain name system rebinding, Ormandy devised a way that the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site. The researcher said most people don't enable password protection because they assume the JSON RPC interface can only be controlled by someone with physical access to the computer running Transmission. Ormandy's proof-of-concept attack exploits a Transmission function that allows users to control the BitTorrent app with their Web browser. He said people who run the unpatched version of Transmission as a daemon should ensure they have enabled password protection. He said the vulnerability was present only when users enabled remote access and disabled password protection. "I suggested moving this into the open so that distributions can apply the patch independently."Ī Transmission development official told Ars that he expected an official fix to be released "ASAP" but was not specific. "I'm finding it frustrating that the Transmission developers are not responding on their private security list," Ormandy wrote in Tuesday's public report. Ormandy said the publication would allow Ubuntu and other downstream projects to independently install the fix. The researcher went ahead and disclosed the vulnerability last Tuesday-only 40 days after the initial report-because Transmission developers had yet to apply it. In this case, however, Ormandy's private report to Transmission included a patch that completely fixed the vulnerability. Normally, Project Zero withholds publication of such details for 90 days or until the developer has released a fix. Researcher Tavis Ormandy published the proof-of-concept attack code last week, along with a detailed description of the underlying vulnerability it exploited. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible. There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |