Wednesday, October 16, 2024
HomeCVE/vulnerabilityCritical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform...

Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

Published on

Malware protection

A critical flaw discovered in BitTorrent Transmission client app that allows an attacker can remotely control the victims PC by using a method called DNS Rebinding which leads to Transmission control can remotely access by an attacker via a malicious website.

This bug was discovered by Google Researcher Tavis Ormandy and it serving under google zero-day project, it also belongs to 90-day disclosure deadline.

We can securely access the torrent using various VPN Servers and proxies and here is the ultimate torrent guide to reachout the torrent related website safely.

- Advertisement - SIEM as a Service

Bit Torrent Transmission Client performing download an seeding operation using Client and server architecture with helping of the daemon.

Tavis was tested his proof of concept on Firefox / Chrome and another platform that confirmed it exploit all the browsers.

Aso Read: Beware of Fake Spectre and Meltdown Patches Pushing Malware – Smoke Loader

How Does this Vulnerability Works in BitTorrent Client

Bit Torrent Transmission client app Interact with daemon by sending an JSON RPC and Daemon communicate to web servers that listen using 9091 port. in this case, daemon only accepts the request that coming from the local host.

In this case, based on the HTTP PRC scheme any website can send requests to the daemon with XMLHttpRequest, “but the theory is they will be ignored because requests must read and request a specific header, X-Transmission-Session-Id.”

But this method will be working if attacker using “DNS Rebinding” Attack that resolving the local host by any website can simply create a DNS name that they are authorized to communicate.

Tavis Explain the attack that working by following way.

1. A user visits http://attacker.com.
2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.

Also, he Demonstrates the Transmission DNS Rebinding based on users transmission running in the default configuration.

So when users visited a malicious site BitTorrent Transmission client interface can be accessed remotely by an attacker.

Proof-of-concept in Public

Since its an open source project vulnerability, Ormandy fixed the bug and released the patch in public and also he released a POC that helps to test for DNS rebinding vulnerabilities in software.

Ormandy said, I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see.

“I’ve never had an opensource project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”

You can also find the Mitigate for DNS rebinding attacks against daemon in GitHub

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...