A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent usersβ computers and take control of them.
The vulnerability has been uncovered by Googleβs Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attackβjust 40 days after the initial report.
Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.
However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.
> βIβm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they wonβt reply, but letβs see,β Ormandy said in a public report published Tuesday.
The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.
Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.
Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.
The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.
Ormandy found that a hacking technique called the βdomain name system rebindingβ attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on userβs computer remotely with the help of installed daemon service.
The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.
> βI regularly encounter users who do not accept that websites can access services on localhost or their intranet,β Ormandy wrote in a separate post, which includes the patch.
> βThese users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machineβbut somehow believe that accessing a website βtransfersβ execution somewhere else. It does not work like that, but this is a common source of confusion.β
Attackers can exploit this loophole by simply creating a DNS name theyβre authorized to communicate with and then making it resolve to the vulnerable computerβs localhost name. Hereβs how the attack works:
Ormandy said the vulnerability (CVE-2018-5702) was the βfirst of a few remote code execution flaws in various popular torrent clients,β though he did not name the other torrent apps due to the 90-day disclosure timeline.
A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.