Saturday, December 9, 2023

Critical Flaw in Popular BitTorrent Transmission Client Leads to an Attacker Perform Remote Hack into Your PC

A critical flaw discovered in BitTorrent Transmission client app that allows an attacker can remotely control the victims PC by using a method called DNS Rebinding which leads to Transmission control can remotely access by an attacker via a malicious website.

This bug was discovered by Google Researcher Tavis Ormandy and it serving under google zero-day project, it also belongs to 90-day disclosure deadline.

We can securely access the torrent using various VPN Servers and proxies and here is the ultimate torrent guide to reachout the torrent related website safely.

Bit Torrent Transmission Client performing download an seeding operation using Client and server architecture with helping of the daemon.

Tavis was tested his proof of concept on Firefox / Chrome and another platform that confirmed it exploit all the browsers.

Aso Read: Beware of Fake Spectre and Meltdown Patches Pushing Malware – Smoke Loader

How Does this Vulnerability Works in BitTorrent Client

Bit Torrent Transmission client app Interact with daemon by sending an JSON RPC and Daemon communicate to web servers that listen using 9091 port. in this case, daemon only accepts the request that coming from the local host.

In this case, based on the HTTP PRC scheme any website can send requests to the daemon with XMLHttpRequest, “but the theory is they will be ignored because requests must read and request a specific header, X-Transmission-Session-Id.”

But this method will be working if attacker using “DNS Rebinding” Attack that resolving the local host by any website can simply create a DNS name that they are authorized to communicate.

Tavis Explain the attack that working by following way.

1. A user visits http://attacker.com.
2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.

Also, he Demonstrates the Transmission DNS Rebinding based on users transmission running in the default configuration.

So when users visited a malicious site BitTorrent Transmission client interface can be accessed remotely by an attacker.

Proof-of-concept in Public

Since its an open source project vulnerability, Ormandy fixed the bug and released the patch in public and also he released a POC that helps to test for DNS rebinding vulnerabilities in software.

Ormandy said, I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see.

“I’ve never had an opensource project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”

You can also find the Mitigate for DNS rebinding attacks against daemon in GitHub

Website

Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles