Tavis was tested his proof of concept on Firefox / Chrome and another platform that confirmed it exploit all the browsers.
How Does this Vulnerability Works in BitTorrent Client
Bit Torrent Transmission client app Interact with daemon by sending an JSON RPC and Daemon communicate to web servers that listen using 9091 port. in this case, daemon only accepts the request that coming from the local host.
In this case, based on the HTTP PRC scheme any website can send requests to the daemon with XMLHttpRequest, “but the theory is they will be ignored because requests must read and request a specific header, X-Transmission-Session-Id.”
But this method will be working if attacker using “DNS Rebinding” Attack that resolving the local host by any website can simply create a DNS name that they are authorized to communicate.
Tavis Explain the attack that working by following way.
1. A user visits http://attacker.com.
2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 18.104.22.168 (an address they control) with a very low TTL.
3. When the browser resolves to 22.214.171.124, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.
Also, he Demonstrates the Transmission DNS Rebinding based on users transmission running in the default configuration.
So when users visited a malicious site BitTorrent Transmission client interface can be accessed remotely by an attacker.
Proof-of-concept in Public
Ormandy said, I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see.
“I’ve never had an opensource project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”