BitTorrent Sync (peer-to-peer file synchronization system on there is a high risk of command injection vulnerability-vulnerability warning-the black bar safety net

2015-04-08T00:00:00
ID MYHACK58:62201560934
Type myhack58
Reporter 佚名
Modified 2015-04-08T00:00:00

Description

According to HP 0day plans ZDI in last week's announcement that BitTorrent Sync on the presence of a high-risk vulnerability, an attacker can remotely execute arbitrary code. The black bar safety net science BitTorrent Sync is BitTorrent network technology company launched in multiple computers for peer-to-peer auto sharing/synchronization file of the application, since there is no intermediate server, the transmission process is encrypted, secure their grasp, and the file size only limited by hard disk limited. Windows/Mac OS X/Linux and mobile platforms are supported by the application, in the local user and the remote device can be synchronized to transfer files. ! Andrea Micalizzi, aka rgod, is also the command injection Vulnerability, CVE-2 0 1 5-2 8 4 6 The Finder. He found the vulnerability after and not directly reported to the BitTorrent company, but in the last year 1 1 month through the ZDI will own find the report to a BitTorrent company. Vulnerability details The problem exists in BitTorrent Sync using btsync Protocol processing URL in the process. An attacker would first have to convince a victim to open a btsync: the beginning of the special form of a link, in this special form of link in the injected arbitrary code parameter, and then passed to the BTSync. exe execution. ! The vulnerability risk level is marked as high CVSS index of 7. 5。 Although high-risk, but also not very easy to be exploited, the attacker only in the success of the trick the victim to visit a malicious Web page or open a specially crafted file to the victim on the device to execute arbitrary code. Relatively funny, although researchers have found this a problem, but it is unclear which specific version of BitTorrent Sync is the presence of vulnerabilities. Well clearly, 2 0 1 5 year 3 month 1 8, the latest release of version 2. 0. 9 3 already fixed this problem, so it is recommended that users of its BitTorrent Sync upgrade to this version.