lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Jul 2012 11:27:50 -0400 From: Justin Klein Keane <justin@...irish.net> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Transmission BitTorrent XSS Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Report Author: Justin C. Klein Keane <justin@...irish.net> Reported: July 19, 2012 CVE-2012-4037 Description of Vulnerability: - ----------------------------- Transmission (http://www.transmissionbt.com) is a popular, cross platform, open source BitTorrent client. Transmission includes functionality to enable a web based display of the application. Unfortunately this web based client doesn't sanitize text from .torrent files that are loaded into the client resulting in an arbitrary script injection (or cross site scripting (XSS)) vulnerability. Impact - ------ Clients loading a maliciously crafted .torrent file into Transmission and viewing the web client could be subject to arbitrary script injection, allowing an attacker to run arbitrary code in the context of the victim's web browser. This could lead to privacy compromises (such as if the script "phoned home" to another URL with client information) or client side attacks (such as drive by downloads). Systems affected: - ----------------- Transmission 2.50 on Fedora 17 was tested and shown to be vulnerable, but Transmission is a cross platform tool so it is possible versions for other operating systems (such as Mac, Windows, and other Linux) are vulnerable as well. Mitigating factors: - ------------------- The information displayed via the Transmission web client is loaded via AJAX calls and is entirely event driven. This means malicious scripts must be crafted to exploit the way in which content is dynamically rendered. This presents some barrier, but is easy bypassed by injecting event driven elements in the display. Malicious script elements in the torrent name are easily visible via the desktop client, but malicious elements in the 'created by' or 'comments' elements are more difficult for end users to detect. Proof of Concept Exploit: - ------------------------- 1. Create a malicious torrent file (Example below) that includes arbitrary script elements in the name, comment, or authored by elements. 2. Install and start up the Transmission client 3. In Transmission select Edit->Preferences then click the 'Web' tab 4. Check the 'Enable web client' 5. Open a web browser and navigate to the web based client 6. Click the 'Open Torrent' icon in the upper left and select the malicious file from step #1 7. Highlight the torrent and click the 'Toggle Inspector' icon in the upper left. 8. Mouse over the "Mouse over me" sections in the information pane to view the rendered JavaScript alert boxes. Vendor Response: - ----------------- Upgrade to Transmission 2.61 or later. Sample Malicious Torrent: - ------------------------- d8:announce24:http://www.madirish.net/7:comment63:<div onmouseover="javascript:alert('xss');">Mouse over me</div>10:created by63:<div onmouseover="javascript:alert('xss');">Mouse over me</div>13:creation datei1342553922e8:encoding5:UTF-84:infod6:lengthi323584e4:name44:appsec.ppt<script>alert('namexss');</script>12:piece lengthi32768e6:pieces200:°åeì<îÃú.[Ò?.9j.Ø<„.LuŒ*B≈ÍôÒ±.ıîw.Ñ √b]Ú‘öÊS°ÜÕÁä0ï.e ©Ö:Řƒúß« v¬G6ê˜bfi†#...PØ;É~JÔ~áÙ±.=.AÎ≤—ï–˝~öÛ€9.ï’PH°k#ÿ0y.‘EèÊS*./æ.fM;˝.5.√ı.uÅ.?¡‡ë?.ySgË>ıQËz4ï<ŒÿµufÕàâ~˘Îs¬Sb◊¿DA·8}¥0∂∂-_Ä[ã≠H.}*õf Èj7:privatei0eee - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iPwEAQECAAYFAlARYfYACgkQkSlsbLsN1gCiAgb/R8B1p7HDEPEBzRiwz2GcwIa9 1diPHnlKTzhRTcY9GgFNfsdDL6NYO4J19tlxxzZIfjSCOI/WUM1rZhsFmJwlMA4E eW07cmc/kmHn5a+3a3/pBd2lhR7kfQkzN4U5/FUCsmlF03B4lZjfreoqFuarID1z dSi/LMU9XJTVfyEIWU9kZiSGE1oeEpdMmLGAWgZ1dCPXhbWE4UK0zF25/Y0YEjl9 6ZRcPX2PCE863XVcUzGrdkodqcN2VJqnzEwpVCc8yP1qwOjLSppX2vM7puMHpoUq mJFLmCdOqrf2oWugB8Y= =M+gZ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists