January 17, 2018 at
A member of the Google Project Zero initiative recently discovered a critical flaw in the popular Transmission BitTorrent app which enables websites to run malicious code on affected devices. According to the researcher, other BitTorrent client apps likely carry similar security flaws.
The researcher behind this new discovery, Tavis Ormandy, published a report last week which included a proof-of-concept attack code as well as a comprehensive description of the security flaw and its impact if exploited. Traditionally, Project Zero only publishes their reports 90 days after having written it, in order to allow the affected platform to address and rectify the issue before it becomes exploited. However, Ormandy published his report immediately since his privately submitted report to Transmission also came with a patch that addressed the issue. Ormandy published his report 40 days after his privately submitted report, as the developing team behind Transmission failed to apply the security patch. However, according to the researcher, the available published report would enable Ubuntu and other projects to install the patch independently.
In his publicly available report, the researcher wrote that he found it frustrating that the team behind Transmission did not respond to the security issue, despite its potentially damaging impact. This frustration encouraged Ormandy to make the security patch publicly available so that distributions could install the patch themselves.
According to a spokesperson from Transmission they were working on an official security fix and intended to release it as soon as possible, however, failed to give specific dates. The spokesperson added that the security flaw was only a threat to users if the app’s password protection was disabled and its remote access was enabled. The spokesperson also warned users to have their password protection enabled if they installed unofficial security patches.
In his report, Ormandy’s proof-of-concept attack operates by exploiting a Transmission feature which enables users to manage their BitTorrent app using their web browser. According to the report, the majority of BitTorrent users are not concerned with the password protection feature as they assume that the JSON RPC interface can only be managed by an individual within close physical proximity to the relevant device. However, Ormandy utilized a technique known as domain name system rebinding which allowed him to controlled the Transmission interface remotely as soon as the victim visited a malicious website. The researcher confirmed that this attack was possible to perform on Firefox, Chrome, Linux, and Windows, and noted that several other platforms were likely to be affected by the flaw.
Using this technique, hackers can abuse the flaw by establishing a DNS name that they have communication permission with. Following this establishment, they resolve the localhost name of the affected device. Ormandy discussed this technique in some detail during his second post which contained the security patch.
Once a hacker has gained remote access to a device’s Transmission app they will be able to perform potentially damaging actions such as changing the Torrent download directory to the victim’s very own home directory. The hacker could also command the Torrent app to download malicious files as well as configure the app to automatically execute all downloaded files. According to the researcher, this hack is not very complex, yet could pose very damaging consequences.
In a Tweet, the researcher also hinted that this is perhaps the first of many damaging security flaws in torrent apps. However, other security flaws have not yet been disclosed, ostensibly because of the mandatory 90-day window.
While this latest discovery immediately affects all Transmission users, the discovery has also highlighted the damaging potential of DNS rebinding techniques, especially considering how widely applicable they are.