ID USN-3533-1 Type ubuntu Reporter Ubuntu Modified 2018-01-16T00:00:00
Description
It was discovered that Transmission incorrectly handled certain POST requests to the RPC server and allowed DNS rebinding attack. An attacker could possibly use this issue to execute arbitrary code.
{"cve": [{"lastseen": "2018-02-12T15:22:26", "references": ["https://github.com/transmission/transmission/pull/468", "https://www.exploit-db.com/exploits/43665/", "https://lists.debian.org/debian-lts-announce/2018/01/msg00020.html", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1447", "https://twitter.com/taviso/status/951526615145566208", "https://www.debian.org/security/2018/dsa-4087"], "description": "Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.", "edition": 5, "reporter": "NVD", "published": "2018-01-15T11:29:00", "title": "CVE-2018-5702", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-5702"], "scanner": [], "modified": "2018-02-09T12:54:55", "cpe": ["cpe:/a:transmissionbt:transmission:2.92", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5702", "id": "CVE-2018-5702", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2018-01-27T09:17:17", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "references": [], "description": "[](<https://1.bp.blogspot.com/-pqfBMIh9S1E/Wl2yjIEHdvI/AAAAAAAAC6U/qO0rUkaGziAXsAB43WDRiGWFIUUWkiB1QCEwYBhgL/s728/bittorrent-rce.png>)\n\nA critical vulnerability has been discovered in the widely used **Transmission BitTorrent app** that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them. \n \nThe vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack\u2014just 40 days after the initial report. \n \nUsually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch. \n \nHowever, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago. \n\n\n> \"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see,\" Ormandy said in a [public report](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1447>) published Tuesday.\n\n \n\n\n### Proof-of-Concept Exploit Made Publicly Available\n\n \nThe [PoC attack](<https://lock.cmpxchg8b.com/rebinder.html>) published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser. \n \nOrmandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack. \n \nTransmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally. \n \nThe daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests. \n \nOrmandy found that a hacking technique called the \"domain name system rebinding\" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service. \n \n\n\n### Here's How the Attack Works:\n\n \nThe loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites. \n\n\n> \"I regularly encounter users who do not accept that websites can access services on localhost or their intranet,\" Ormandy wrote in a [separate post](<https://github.com/transmission/transmission/pull/468>), which includes the patch.\n\n> \"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine\u2014but somehow believe that accessing a website \"transfers\" execution somewhere else. It does not work like that, but this is a common source of confusion.\"\n\nAttackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works: \n\n\n[](<https://4.bp.blogspot.com/-EDrby3d-yqU/Wl2y1M1A0SI/AAAAAAAAC6Q/t2q9d_ojutwrh97hDA5jW-0i7rfX4ut4QCLcBGAs/s728/bittorrent-rce-2.png>)\n\n \n\n\n 1. A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.\n 2. The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.\n 3. When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.\n \nOrmandy [said](<https://twitter.com/taviso/status/951526615145566208>) the vulnerability (CVE-2018-5702) was the _\"first of a few remote code execution flaws in various popular torrent clients,\"_ though he did not name the other torrent apps due to the 90-day disclosure timeline. \n \nA fix is expected to be released as soon as possible, a development official with Transmission told [ArsTechnica](<https://arstechnica.com/information-technology/2018/01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/>), without specifying an actual date.\n", "reporter": "Swati Khandelwal", "published": "2018-01-15T21:22:00", "type": "thn", "title": "Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-5702"], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-01-16T08:22:20", "id": "THN:8765E8456C091FCC37F23EF475C3585D", "href": "https://thehackernews.com/2018/01/bittorent-transmission-hacking.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-09-02T00:10:55", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00020.html", "https://packages.debian.org/source/wheezy/transmission"], "pluginID": "106173", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent client; insecure RPC handling between the Transmission daemon and the client interface(s) may result in the execution of arbitrary code if a user visits a malicious website while Transmission is running.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 2.52-3+nmu3.\n\nWe recommend that you upgrade your transmission packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 6, "reporter": "Tenable", "published": "2018-01-19T00:00:00", "title": "Debian DLA-1246-1 : transmission security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-07-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:transmission-common", "p-cpe:/a:debian:debian_linux:transmission-daemon", "p-cpe:/a:debian:debian_linux:transmission-cli", "p-cpe:/a:debian:debian_linux:transmission-qt", "p-cpe:/a:debian:debian_linux:transmission", "p-cpe:/a:debian:debian_linux:transmission-dbg", "p-cpe:/a:debian:debian_linux:transmission-gtk", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1246.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106173", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1246-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106173);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2018/07/06 11:26:07\");\n\n script_cve_id(\"CVE-2018-5702\");\n\n script_name(english:\"Debian DLA-1246-1 : transmission security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy discovered a vulnerability in the Transmission\nBitTorrent client; insecure RPC handling between the Transmission\ndaemon and the client interface(s) may result in the execution of\narbitrary code if a user visits a malicious website while Transmission\nis running.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2.52-3+nmu3.\n\nWe recommend that you upgrade your transmission packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00020.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/transmission\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"transmission\", reference:\"2.52-3+nmu3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"transmission-cli\", reference:\"2.52-3+nmu3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"transmission-common\", reference:\"2.52-3+nmu3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"transmission-daemon\", reference:\"2.52-3+nmu3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"transmission-dbg\", reference:\"2.52-3+nmu3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"transmission-gtk\", reference:\"2.52-3+nmu3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"transmission-qt\", reference:\"2.52-3+nmu3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:01:44", "references": ["https://security.gentoo.org/glsa/201806-07"], "pluginID": "110616", "description": "The remote host is affected by the vulnerability described in GLSA-201806-07 (Transmission: Remote code execution)\n\n A vulnerability was discovered in how Transmission handles access control through the X-Transmission-Session-Id.\n Impact :\n\n A remote attacker could execute arbitrary RFC commands or consequently conduct a DNS rebinding attack.\n Workaround :\n\n There is no known workaround at this time.", "edition": 3, "reporter": "Tenable", "published": "2018-06-20T00:00:00", "title": "GLSA-201806-07 : Transmission: Remote code execution", "type": "nessus", "enchantments": {"score": {"modified": "2018-09-02T00:01:44", "vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-06-20T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:transmission"], "id": "GENTOO_GLSA-201806-07.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110616", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201806-07.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110616);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/06/20 12:48:53\");\n\n script_cve_id(\"CVE-2018-5702\");\n script_xref(name:\"GLSA\", value:\"201806-07\");\n\n script_name(english:\"GLSA-201806-07 : Transmission: Remote code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201806-07\n(Transmission: Remote code execution)\n\n A vulnerability was discovered in how Transmission handles access\n control through the X-Transmission-Session-Id.\n \nImpact :\n\n A remote attacker could execute arbitrary RFC commands or consequently\n conduct a DNS rebinding attack.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201806-07\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Transmission users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-p2p/transmission-'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:transmission\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-p2p/transmission\", unaffected:make_list(\"ge 2.93\"), vulnerable:make_list(\"lt 2.93\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Transmission\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:56:16", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2018-d1e263e68e"], "pluginID": "106113", "description": "Security fix for CVE-2018-5702 (Mitigate dns rebinding attacks against daemon)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2018-01-18T00:00:00", "title": "Fedora 27 : transmission (2018-d1e263e68e)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-02-12T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:transmission"], "id": "FEDORA_2018-D1E263E68E.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106113", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-d1e263e68e.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106113);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2018/02/12 15:59:47 $\");\n\n script_cve_id(\"CVE-2018-5702\");\n script_xref(name:\"FEDORA\", value:\"2018-d1e263e68e\");\n\n script_name(english:\"Fedora 27 : transmission (2018-d1e263e68e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2018-5702 (Mitigate dns rebinding attacks against\ndaemon)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-d1e263e68e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected transmission package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:transmission\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"transmission-2.92-11.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"transmission\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:40:54", "references": ["http://www.debian.org/security/2018/dsa-4087", "https://packages.debian.org/source/jessie/transmission", "https://security-tracker.debian.org/tracker/transmission", "https://packages.debian.org/source/stretch/transmission", "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886990"], "pluginID": "105802", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent client; insecure RPC handling between the Transmission daemon and the client interface(s) may result in the execution of arbitrary code if a user visits a malicious website while Transmission is running.", "edition": 6, "reporter": "Tenable", "published": "2018-01-15T00:00:00", "title": "Debian DSA-4087-1 : transmission - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-02-12T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:transmission", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4087.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105802", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4087. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105802);\n script_version(\"$Revision: 3.3 $\");\n script_cvs_date(\"$Date: 2018/02/12 15:59:47 $\");\n\n script_cve_id(\"CVE-2018-5702\");\n script_xref(name:\"DSA\", value:\"4087\");\n\n script_name(english:\"Debian DSA-4087-1 : transmission - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy discovered a vulnerability in the Transmission\nBitTorrent client; insecure RPC handling between the Transmission\ndaemon and the client interface(s) may result in the execution of\narbitrary code if a user visits a malicious website while Transmission\nis running.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886990\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/transmission\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/transmission\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/transmission\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2018/dsa-4087\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the transmission packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 2.84-0.2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.92-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transmission\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"transmission\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"transmission-cli\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"transmission-common\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"transmission-daemon\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"transmission-dbg\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"transmission-gtk\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"transmission-qt\", reference:\"2.84-0.2+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"transmission\", reference:\"2.92-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"transmission-cli\", reference:\"2.92-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"transmission-common\", reference:\"2.92-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"transmission-daemon\", reference:\"2.92-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"transmission-gtk\", reference:\"2.92-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"transmission-qt\", reference:\"2.92-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:10:53", "references": [], "pluginID": "106096", "description": "It was discovered that Transmission incorrectly handled certain POST requests to the RPC server and allowed DNS rebinding attack. An attacker could possibly use this issue to execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 7, "reporter": "Tenable", "published": "2018-01-17T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : transmission vulnerability (USN-3533-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-08-06T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.10", "p-cpe:/a:canonical:ubuntu_linux:transmission", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3533-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106096", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3533-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106096);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2018-5702\");\n script_xref(name:\"USN\", value:\"3533-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : transmission vulnerability (USN-3533-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Transmission incorrectly handled certain POST\nrequests to the RPC server and allowed DNS rebinding attack. An\nattacker could possibly use this issue to execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected transmission package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:transmission\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(14\\.04|16\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"transmission\", pkgver:\"2.82-1.1ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"transmission\", pkgver:\"2.84-3ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"transmission\", pkgver:\"2.92-2ubuntu3.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"transmission\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:33:04", "references": ["https://alas.aws.amazon.com/ALAS-2018-950.html"], "pluginID": "106695", "description": "Transmission relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack. (CVE-2018-5702)", "edition": 6, "reporter": "Tenable", "published": "2018-02-09T00:00:00", "title": "Amazon Linux AMI : transmission (ALAS-2018-950)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:transmission", "p-cpe:/a:amazon:linux:transmission-cli", "p-cpe:/a:amazon:linux:transmission-debuginfo", "p-cpe:/a:amazon:linux:transmission-daemon", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:transmission-common"], "id": "ALA_ALAS-2018-950.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106695", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-950.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106695);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2018-5702\");\n script_xref(name:\"ALAS\", value:\"2018-950\");\n\n script_name(english:\"Amazon Linux AMI : transmission (ALAS-2018-950)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Transmission relies on X-Transmission-Session-Id (which is not a\nforbidden header for Fetch) for access control, which allows remote\nattackers to execute arbitrary RPC commands, and consequently write to\narbitrary files, via POST requests to /transmission/rpc in conjunction\nwith a DNS rebinding attack. (CVE-2018-5702)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-950.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update transmission' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:transmission\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:transmission-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:transmission-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:transmission-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:transmission-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"transmission-2.92-11.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"transmission-cli-2.92-11.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"transmission-common-2.92-11.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"transmission-daemon-2.92-11.12.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"transmission-debuginfo-2.92-11.12.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"transmission / transmission-cli / transmission-common / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-01-24T14:24:08", "osvdbidlist": [], "references": [], "description": "Transmission - RPC DNS Rebinding. CVE-2018-5702. Remote exploit for Multiple platform", "edition": 1, "reporter": "Exploit-DB", "published": "2018-01-11T00:00:00", "type": "exploitdb", "title": "Transmission - RPC DNS Rebinding", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-5702"], "modified": "2018-01-11T00:00:00", "href": "https://www.exploit-db.com/exploits/43665/", "id": "EDB-ID:43665", "sourceData": "The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc.\r\n\r\nClients interact with the daemon using JSON RPC requests to a web server listening on port 9091. By default, the daemon will only accept requests from localhost.\r\n\r\nA sample RPC session looks like this:\r\n\r\n```\r\n$ curl -H 'X-Transmission-Session-Id: foo' -sI '{}' http://localhost:9091/transmission/rpc\r\nHTTP/1.1 409 Conflict\r\nServer: Transmission\r\nX-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H\r\nDate: Wed, 29 Nov 2017 21:37:41 GMT\r\n```\r\n\r\n```\r\n$ curl -H 'X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H' -d '{\"method\":\"session-set\",\"arguments\":{\"download-dir\":\"/home/user\"}}' -si http://localhost:9091/transmission/rpc\r\nHTTP/1.1 200 OK\r\nServer: Transmission\r\nContent-Type: application/json; charset=UTF-8\r\nDate: Wed, 29 Nov 2017 21:38:57 GMT\r\nContent-Length: 36\r\n\r\n{\"arguments\":{},\"result\":\"success\"}\r\n```\r\n\r\nAs with all HTTP RPC schemes like this, any website can send requests to the daemon with XMLHttpRequest, but the theory is they will be ignored because requests must read and request a specific header, X-Transmission-Session-Id. Unfortunately, this design doesn't work because of an attack called \"dns rebinding\". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.\r\n\r\nThe attack works like this:\r\n\r\n1. A user visits http://attacker.com.\r\n2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.\r\n3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.\r\n\r\nYou can test this attack like this, I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:\r\n\r\nhttps://lock.cmpxchg8b.com/rebinder.html\r\n\r\nHere I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:\r\n\r\n```\r\n$ host 7f000001.c7f11de3.rbndr.us\r\n7f000001.c7f11de3.rbndr.us has address 127.0.0.1\r\n$ host 7f000001.c7f11de3.rbndr.us\r\n7f000001.c7f11de3.rbndr.us has address 199.241.29.227\r\n$ host 7f000001.c7f11de3.rbndr.us\r\n7f000001.c7f11de3.rbndr.us has address 127.0.0.1\r\n```\r\n\r\nHere you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).\r\n\r\nI just wait for the cached response to expire, and then POST commands to the server.\r\n\r\nExploitation is simple, you could set script-torrent-done-enabled and run any command, or set download-dir to /home/user/ and then upload a torrent for \".bashrc\". \r\n\r\nHere is my (simple) demo:\r\n\r\nhttp://lock.cmpxchg8b.com/Asoquu3e.html\r\n\r\nSee screenshots for how it's supposed to work, I've only tested it on fedora with `yum install transmission-daemon` and all default settings, but this should work on any platform that transmission supports.\r\n\r\nEDB Note ~ https://bugs.chromium.org/p/project-zero/issues/detail?id=1447\r\nEDB Note ~ https://github.com/transmission/transmission/pull/468\r\nEDB Note ~ https://github.com/taviso/rbndr/tree/a189ffd9447ba78aa2702c5649d853b6fb612e3b\r\n\r\nDownload: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43665.zip", "sourceHref": "https://www.exploit-db.com/download/43665/", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2018-09-01T23:39:48", "references": ["https://www.debian.org/security/2018/dsa-4087.html"], "pluginID": "1361412562310704087", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent\nclient; insecure RPC handling between the Transmission daemon and the\nclient interface(s) may result in the execution of arbitrary code if a\nuser visits a malicious website while Transmission is running.", "edition": 4, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-01-14T00:00:00", "title": "Debian Security Advisory DSA 4087-1 (transmission - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-02-28T00:00:00", "id": "OPENVAS:1361412562310704087", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704087", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_4087.nasl 8972 2018-02-28 07:02:10Z cfischer $\n#\n# Auto-generated from advisory DSA 4087-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704087\");\n script_version(\"$Revision: 8972 $\");\n script_cve_id(\"CVE-2018-5702\");\n script_name(\"Debian Security Advisory DSA 4087-1 (transmission - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-28 08:02:10 +0100 (Wed, 28 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-14 00:00:00 +0100 (Sun, 14 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4087.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name:\"affected\", value:\"transmission on Debian Linux\");\n script_tag(name:\"insight\", value:\"Transmission is a set of lightweight BitTorrent clients (in GUI, CLI\nand daemon form). All its incarnations feature a very simple, intuitive\ninterface on top on an efficient, cross-platform back-end.\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 2.84-0.2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.92-2+deb9u1.\n\nWe recommend that you upgrade your transmission packages.\n\nFor the detailed security status of transmission please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/transmission\");\n script_tag(name:\"summary\", value:\"Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent\nclient; insecure RPC handling between the Transmission daemon and the\nclient interface(s) may result in the execution of arbitrary code if a\nuser visits a malicious website while Transmission is running.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"transmission\", ver:\"2.92-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-cli\", ver:\"2.92-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-common\", ver:\"2.92-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-daemon\", ver:\"2.92-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-gtk\", ver:\"2.92-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-qt\", ver:\"2.92-2+deb9u1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-cli\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-common\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-daemon\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-dbg\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-gtk\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-qt\", ver:\"2.84-0.2+deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:37:07", "references": ["2018-b166805347", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWUU5KHUYGRI3QLVBDPKLTQ6L7ZJMY5E"], "pluginID": "1361412562310874211", "description": "Check the version of transmission", "edition": 4, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-03-14T00:00:00", "title": "Fedora Update for transmission FEDORA-2018-b166805347", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-03-19T00:00:00", "id": "OPENVAS:1361412562310874211", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874211", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b166805347_transmission_fc26.nasl 9135 2018-03-19 12:37:31Z asteins $\n#\n# Fedora Update for transmission FEDORA-2018-b166805347\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874211\");\n script_version(\"$Revision: 9135 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-03-19 13:37:31 +0100 (Mon, 19 Mar 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-14 08:41:16 +0100 (Wed, 14 Mar 2018)\");\n script_cve_id(\"CVE-2018-5702\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for transmission FEDORA-2018-b166805347\");\n script_tag(name: \"summary\", value: \"Check the version of transmission\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help \nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Transmission is a free, lightweight \nBitTorrent client. It features a simple, intuitive interface on top on an \nefficient, cross-platform back-end.\n\");\n script_tag(name: \"affected\", value: \"transmission on Fedora 26\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2018-b166805347\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWUU5KHUYGRI3QLVBDPKLTQ6L7ZJMY5E\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"transmission\", rpm:\"transmission~2.92~12.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:39:38", "references": ["https://lists.debian.org/debian-lts-announce/2018/01/msg00020.html"], "pluginID": "1361412562310891246", "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent\nclient. Insecure RPC handling between the Transmission daemon and the\nclient interface(s) may result in the execution of arbitrary code if a\nuser visits a malicious website while Transmission is running.", "edition": 8, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-01-22T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1246-1] transmission security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-07-10T00:00:00", "id": "OPENVAS:1361412562310891246", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891246", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1246.nasl 10474 2018-07-10 08:12:26Z cfischer $\n#\n# Auto-generated from advisory DLA 1246-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891246\");\n script_version(\"$Revision: 10474 $\");\n script_cve_id(\"CVE-2018-5702\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1246-1] transmission security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-07-10 10:12:26 +0200 (Tue, 10 Jul 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-22 00:00:00 +0100 (Mon, 22 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00020.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"transmission on Debian Linux\");\n script_tag(name:\"insight\", value:\"Transmission is a set of lightweight BitTorrent clients (in GUI, CLI\nand daemon form). All its incarnations feature a very simple, intuitive\ninterface on top on an efficient, cross-platform back-end.\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n2.52-3+nmu3.\n\nWe recommend that you upgrade your transmission packages.\");\n script_tag(name:\"summary\", value:\"Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent\nclient. Insecure RPC handling between the Transmission daemon and the\nclient interface(s) may result in the execution of arbitrary code if a\nuser visits a malicious website while Transmission is running.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"transmission\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-cli\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-common\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-daemon\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-dbg\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-gtk\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"transmission-qt\", ver:\"2.52-3+nmu3\", rls_regex:\"DEB7\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:37:16", "references": ["2018-d1e263e68e", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7E4DGDKW672SG6QYQ7KN4HOPXJIR52K7"], "pluginID": "1361412562310874030", "description": "Check the version of transmission", "edition": 5, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-01-18T00:00:00", "title": "Fedora Update for transmission FEDORA-2018-d1e263e68e", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5702"], "modified": "2018-02-14T00:00:00", "id": "OPENVAS:1361412562310874030", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874030", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_d1e263e68e_transmission_fc27.nasl 8811 2018-02-14 12:41:44Z cfischer $\n#\n# Fedora Update for transmission FEDORA-2018-d1e263e68e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874030\");\n script_version(\"$Revision: 8811 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-14 13:41:44 +0100 (Wed, 14 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-18 07:38:22 +0100 (Thu, 18 Jan 2018)\");\n script_cve_id(\"CVE-2018-5702\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for transmission FEDORA-2018-d1e263e68e\");\n script_tag(name: \"summary\", value: \"Check the version of transmission\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help \nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Transmission is a free, lightweight \nBitTorrent client. It features a simple, intuitive interface on top on an \nefficient, cross-platform back-end.\n\");\n script_tag(name: \"affected\", value: \"transmission on Fedora 27\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2018-d1e263e68e\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7E4DGDKW672SG6QYQ7KN4HOPXJIR52K7\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"transmission\", rpm:\"transmission~2.92~11.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-02-13T18:38:15", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission-gtk_2.84-0.2+deb8u1_all.deb", "packageName": "transmission-gtk", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "9", "packageVersion": "2.92-2+deb9u1", "arch": "all", "packageFilename": "transmission_2.92-2+deb9u1_all.deb", "packageName": "transmission", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "9", "packageVersion": "2.92-2+deb9u1", "arch": "all", "packageFilename": "transmission-gtk_2.92-2+deb9u1_all.deb", "packageName": "transmission-gtk", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission-cli_2.84-0.2+deb8u1_all.deb", "packageName": "transmission-cli", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission-daemon_2.84-0.2+deb8u1_all.deb", "packageName": "transmission-daemon", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "9", "packageVersion": "2.92-2+deb9u1", "arch": "all", "packageFilename": "transmission-cli_2.92-2+deb9u1_all.deb", "packageName": "transmission-cli", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission-common_2.84-0.2+deb8u1_all.deb", "packageName": "transmission-common", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission_2.84-0.2+deb8u1_all.deb", "packageName": "transmission", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission-dbg_2.84-0.2+deb8u1_all.deb", "packageName": "transmission-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "9", "packageVersion": "2.92-2+deb9u1", "arch": "all", "packageFilename": "transmission-daemon_2.92-2+deb9u1_all.deb", "packageName": "transmission-daemon", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "2.84-0.2+deb8u1", "arch": "all", "packageFilename": "transmission-qt_2.84-0.2+deb8u1_all.deb", "packageName": "transmission-qt", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "9", "packageVersion": "2.92-2+deb9u1", "arch": "all", "packageFilename": "transmission-qt_2.92-2+deb9u1_all.deb", "packageName": "transmission-qt", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "9", "packageVersion": "2.92-2+deb9u1", "arch": "all", "packageFilename": "transmission-common_2.92-2+deb9u1_all.deb", "packageName": "transmission-common", "operator": "lt"}], "description": "Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent client; insecure RPC handling between the Transmission daemon and the client interface(s) may result in the execution of arbitrary code if a user visits a malicious website while Transmission is running.\n\nFor the oldstable distribution (jessie), this problem has been fixed in version 2.84-0.2+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in version 2.92-2+deb9u1.\n\nWe recommend that you upgrade your transmission packages.\n\nFor the detailed security status of transmission please refer to its security tracker page at: <https://security-tracker.debian.org/tracker/transmission>", "edition": 3, "reporter": "Debian", "published": "2018-01-14T00:00:00", "type": "debian", "title": "transmission -- security update", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-5702"], "modified": "2018-01-14T00:00:00", "href": "http://www.debian.org/security/dsa-4087", "id": "DSA-4087", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2018-06-20T03:56:14", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2018-5702", "https://bugs.gentoo.org/show_bug.cgi?id=644406"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.93", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "net-p2p/transmission", "operator": "lt"}], "description": "### Background\n\nTransmission is a cross-platform BitTorrent client.\n\n### Description\n\nA vulnerability was discovered in how Transmission handles access control through the X-Transmission-Session-Id. \n\n### Impact\n\nA remote attacker could execute arbitrary RFC commands or consequently conduct a DNS rebinding attack. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Transmission users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-p2p/transmission-\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2018-06-20T00:00:00", "title": "Transmission: Remote code execution", "type": "gentoo", "enchantments": {"score": {"modified": "2018-06-20T03:56:14", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-5702"], "modified": "2018-06-20T00:00:00", "id": "GLSA-201806-07", "href": "https://security.gentoo.org/glsa/201806-07", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
