Saturday, November 2, 2024
HomeCVE/vulnerabilityCritical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform...

Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

Published on

Malware protection

A critical flaw discovered in BitTorrent Transmission client app that allows an attacker can remotely control the victims PC by using a method called DNS Rebinding which leads to Transmission control can remotely access by an attacker via a malicious website.

This bug was discovered by Google Researcher Tavis Ormandy and it serving under google zero-day project, it also belongs to 90-day disclosure deadline.

We can securely access the torrent using various VPN Servers and proxies and here is the ultimate torrent guide to reachout the torrent related website safely.

- Advertisement - SIEM as a Service

Bit Torrent Transmission Client performing download an seeding operation using Client and server architecture with helping of the daemon.

Tavis was tested his proof of concept on Firefox / Chrome and another platform that confirmed it exploit all the browsers.

Aso Read: Beware of Fake Spectre and Meltdown Patches Pushing Malware – Smoke Loader

How Does this Vulnerability Works in BitTorrent Client

Bit Torrent Transmission client app Interact with daemon by sending an JSON RPC and Daemon communicate to web servers that listen using 9091 port. in this case, daemon only accepts the request that coming from the local host.

In this case, based on the HTTP PRC scheme any website can send requests to the daemon with XMLHttpRequest, “but the theory is they will be ignored because requests must read and request a specific header, X-Transmission-Session-Id.”

But this method will be working if attacker using “DNS Rebinding” Attack that resolving the local host by any website can simply create a DNS name that they are authorized to communicate.

Tavis Explain the attack that working by following way.

1. A user visits http://attacker.com.
2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.

Also, he Demonstrates the Transmission DNS Rebinding based on users transmission running in the default configuration.

So when users visited a malicious site BitTorrent Transmission client interface can be accessed remotely by an attacker.

Proof-of-concept in Public

Since its an open source project vulnerability, Ormandy fixed the bug and released the patch in public and also he released a POC that helps to test for DNS rebinding vulnerabilities in software.

Ormandy said, I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see.

“I’ve never had an opensource project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”

You can also find the Mitigate for DNS rebinding attacks against daemon in GitHub

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to...

SMB Force-Authentication Vulnerability Impacts All OPA Versions For Windows

Open Policy Agent (OPA) recently patched a critical vulnerability that could have exposed NTLM...

Vulnerabilities in Realtek SD Card Reader Driver Impacts Dell, Lenovo, & Others Laptops

Multiple vulnerabilities have been discovered in the Realtek SD card reader driver, RtsPer.sys, affecting...