ID USN-3533-1 Type ubuntu Reporter Ubuntu Modified 2018-01-16T00:00:00
Description
It was discovered that Transmission incorrectly handled certain POST requests to the RPC server and allowed DNS rebinding attack. An attacker could possibly use this issue to execute arbitrary code.
{"result": {"cve": [{"id": "CVE-2018-5702", "type": "cve", "title": "CVE-2018-5702", "description": "Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.", "published": "2018-01-15T11:29:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5702", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-12T15:22:26"}], "nessus": [{"id": "DEBIAN_DLA-1246.NASL", "type": "nessus", "title": "Debian DLA-1246-1 : transmission security update", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent client; insecure RPC handling between the Transmission daemon and the client interface(s) may result in the execution of arbitrary code if a user visits a malicious website while Transmission is running.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 2.52-3+nmu3.\n\nWe recommend that you upgrade your transmission packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2018-01-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=106173", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-13T04:37:06"}, {"id": "DEBIAN_DSA-4087.NASL", "type": "nessus", "title": "Debian DSA-4087-1 : transmission - security update", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent client; insecure RPC handling between the Transmission daemon and the client interface(s) may result in the execution of arbitrary code if a user visits a malicious website while Transmission is running.", "published": "2018-01-15T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=105802", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-13T04:24:35"}, {"id": "FEDORA_2018-D1E263E68E.NASL", "type": "nessus", "title": "Fedora 27 : transmission (2018-d1e263e68e)", "description": "Security fix for CVE-2018-5702 (Mitigate dns rebinding attacks against daemon)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2018-01-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=106113", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-13T04:31:02"}, {"id": "UBUNTU_USN-3533-1.NASL", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : transmission vulnerability (USN-3533-1)", "description": "It was discovered that Transmission incorrectly handled certain POST requests to the RPC server and allowed DNS rebinding attack. An attacker could possibly use this issue to execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2018-01-17T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=106096", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-13T04:37:06"}, {"id": "ALA_ALAS-2018-950.NASL", "type": "nessus", "title": "Amazon Linux AMI : transmission (ALAS-2018-950)", "description": "Transmission relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack. (CVE-2018-5702)", "published": "2018-02-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=106695", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-04-19T07:23:08"}], "exploitdb": [{"id": "EDB-ID:43665", "type": "exploitdb", "title": "Transmission - RPC DNS Rebinding", "description": "Transmission - RPC DNS Rebinding. CVE-2018-5702. Remote exploit for Multiple platform", "published": "2018-01-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/43665/", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-01-24T14:24:08"}], "openvas": [{"id": "OPENVAS:1361412562310704087", "type": "openvas", "title": "Debian Security Advisory DSA 4087-1 (transmission - security update)", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent\nclient; insecure RPC handling between the Transmission daemon and the\nclient interface(s) may result in the execution of arbitrary code if a\nuser visits a malicious website while Transmission is running.", "published": "2018-01-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704087", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-28T15:21:53"}, {"id": "OPENVAS:1361412562310874030", "type": "openvas", "title": "Fedora Update for transmission FEDORA-2018-d1e263e68e", "description": "Check the version of transmission", "published": "2018-01-18T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874030", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-14T18:55:21"}, {"id": "OPENVAS:1361412562310874211", "type": "openvas", "title": "Fedora Update for transmission FEDORA-2018-b166805347", "description": "Check the version of transmission", "published": "2018-03-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874211", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-03-20T16:37:57"}, {"id": "OPENVAS:1361412562310891246", "type": "openvas", "title": "Debian LTS Advisory ([SECURITY] [DLA 1246-1] transmission security update)", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent\nclient; insecure RPC handling between the Transmission daemon and the\nclient interface(s) may result in the execution of arbitrary code if a\nuser visits a malicious website while Transmission is running.", "published": "2018-01-22T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891246", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-03-29T18:47:48"}], "thn": [{"id": "THN:8765E8456C091FCC37F23EF475C3585D", "type": "thn", "title": "Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely", "description": "[](<https://1.bp.blogspot.com/-pqfBMIh9S1E/Wl2yjIEHdvI/AAAAAAAAC6U/qO0rUkaGziAXsAB43WDRiGWFIUUWkiB1QCEwYBhgL/s728/bittorrent-rce.png>)\n\nA critical vulnerability has been discovered in the widely used **Transmission BitTorrent app** that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them. \n \nThe vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack\u2014just 40 days after the initial report. \n \nUsually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch. \n \nHowever, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago. \n\n\n> \"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see,\" Ormandy said in a [public report](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1447>) published Tuesday.\n\n \n\n\n### Proof-of-Concept Exploit Made Publicly Available\n\n \nThe [PoC attack](<https://lock.cmpxchg8b.com/rebinder.html>) published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser. \n \nOrmandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack. \n \nTransmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally. \n \nThe daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests. \n \nOrmandy found that a hacking technique called the \"domain name system rebinding\" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service. \n \n\n\n### Here's How the Attack Works:\n\n \nThe loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites. \n\n\n> \"I regularly encounter users who do not accept that websites can access services on localhost or their intranet,\" Ormandy wrote in a [separate post](<https://github.com/transmission/transmission/pull/468>), which includes the patch.\n\n> \"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine\u2014but somehow believe that accessing a website \"transfers\" execution somewhere else. It does not work like that, but this is a common source of confusion.\"\n\nAttackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works: \n\n\n[](<https://4.bp.blogspot.com/-EDrby3d-yqU/Wl2y1M1A0SI/AAAAAAAAC6Q/t2q9d_ojutwrh97hDA5jW-0i7rfX4ut4QCLcBGAs/s728/bittorrent-rce-2.png>)\n\n \n\n\n 1. A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.\n 2. The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.\n 3. When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.\n \nOrmandy [said](<https://twitter.com/taviso/status/951526615145566208>) the vulnerability (CVE-2018-5702) was the _\"first of a few remote code execution flaws in various popular torrent clients,\"_ though he did not name the other torrent apps due to the 90-day disclosure timeline. \n \nA fix is expected to be released as soon as possible, a development official with Transmission told [ArsTechnica](<https://arstechnica.com/information-technology/2018/01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/>), without specifying an actual date.\n", "published": "2018-01-15T21:22:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2018/01/bittorent-transmission-hacking.html", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-01-27T09:17:17"}, {"id": "THN:9ABA4AFD47CE7283D9BFBDA9A88F57A9", "type": "thn", "title": "Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely", "description": "[](<https://1.bp.blogspot.com/-pqfBMIh9S1E/Wl2yjIEHdvI/AAAAAAAAC6U/qO0rUkaGziAXsAB43WDRiGWFIUUWkiB1QCEwYBhgL/s728/bittorrent-rce.png>)\n\nA critical vulnerability has been discovered in the widely used **Transmission BitTorrent app** that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them. \n \nThe vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack\u2014just 40 days after the initial report. \n \nUsually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch. \n \nHowever, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago. \n\n\n> \"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see,\" Ormandy said in a [public report](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1447>) published Tuesday.\n\n \n\n\n### Proof-of-Concept Exploit Made Publicly Available\n\n \nThe [PoC attack](<https://lock.cmpxchg8b.com/rebinder.html>) published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser. \n \nOrmandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack. \n \nTransmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally. \n \nThe daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests. \n \nOrmandy found that a hacking technique called the \"domain name system rebinding\" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service. \n \n\n\n### Here's How the Attack Works:\n\n \nThe loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites. \n\n\n> \"I regularly encounter users who do not accept that websites can access services on localhost or their intranet,\" Ormandy wrote in a [separate post](<https://github.com/transmission/transmission/pull/468>), which includes the patch.\n\n> \"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine\u2014but somehow believe that accessing a website \"transfers\" execution somewhere else. It does not work like that, but this is a common source of confusion.\"\n\nAttackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works: \n\n\n[](<https://4.bp.blogspot.com/-EDrby3d-yqU/Wl2y1M1A0SI/AAAAAAAAC6Q/t2q9d_ojutwrh97hDA5jW-0i7rfX4ut4QCLcBGAs/s728/bittorrent-rce-2.png>)\n\n \n\n\n 1. A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.\n 2. The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.\n 3. When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.\n \nOrmandy [said](<https://twitter.com/taviso/status/951526615145566208>) the vulnerability (CVE-2018-5702) was the _\"first of a few remote code execution flaws in various popular torrent clients,\"_ though he did not name the other torrent apps due to the 90-day disclosure timeline. \n \nA fix is expected to be released as soon as possible, a development official with Transmission told [ArsTechnica](<https://arstechnica.com/information-technology/2018/01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/>), without specifying an actual date.\n", "published": "2018-01-15T21:22:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://thehackernews.com/2018/01/bittorent-transmission-hacking.html", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-01-16T11:58:55"}], "debian": [{"id": "DSA-4087", "type": "debian", "title": "transmission -- security update", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent client; insecure RPC handling between the Transmission daemon and the client interface(s) may result in the execution of arbitrary code if a user visits a malicious website while Transmission is running.\n\nFor the oldstable distribution (jessie), this problem has been fixed in version 2.84-0.2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in version 2.92-2+deb9u1.\n\nWe recommend that you upgrade your transmission packages.\n\nFor the detailed security status of transmission please refer to its security tracker page at: <https://security-tracker.debian.org/tracker/transmission>", "published": "2018-01-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-4087", "cvelist": ["CVE-2018-5702"], "lastseen": "2018-02-13T18:38:15"}]}}