lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <864dcda1-ccd5-ad77-6f64-ce6d9de4a0d5@gentoo.org>
Date: Sun, 19 Mar 2017 03:48:48 +0100
From: Thomas Deutschmann <whissi@...too.org>
To: Kyle Neideck <kyle@...risdriving.com>, fulldisclosure@...lists.org,
 bugtraq@...urityfocus.com
Subject: Re: [FD] Remote code execution via CSRF vulnerability in the web UI
 of Deluge 1.3.13

On 2017-03-05 07:22, Kyle Neideck wrote:
> Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
> 
> Kyle Neideck, February 2017
> 
> 
> Product
> -------
> 
> Deluge is a BitTorrent client available from http://deluge-torrent.org.
> 
> Fix
> ---
> 
> Fixed in the (public) source code, but not in binary releases yet. See
> http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
> and
> http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
> 
> Install from source or use the web UI from an incognito/private window until
> new binaries are released.
> 
> Summary
> -------
> 
> Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web UI
> plug-in resulting in remote code execution. Requests made to the /json endpoint
> are not checked for CSRF. See the "render" function of the "JSON" class in
> deluge/ui/web/json_api.py.
> 
> The Web UI plug-in is installed, but not enabled, by default. If the user has
> enabled the Web UI plug-in and logged into it, a malicious web page can use
> forged requests to make Deluge download and install a Deluge plug-in provided
> by the attacker. The plug-in can then execute arbitrary code as the user
> running Deluge (usually the local user account).

I requested a CVE via MITRE web form and received the following ID:

> [Suggested description]
> CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation
> methodology involves (1) hosting a crafted plugin that executes an
> arbitrary program from its __init__.py file and (2) causing the
> victim to download, install, and enable this plugin.

> Use CVE-2017-7178.


-- 
Regards,
Thomas Deutschmann / Gentoo Security Team
C4DD 695F A713 8F24 2AA1  5638 5849 7EE5 1D5D 74A5



Download attachment "signature.asc" of type "application/pgp-signature" (952 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ