Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Jan 2018 18:48:20 -0800
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: transmission: rpc session-id mechanism design flaw results in RCE

Here is an updated version of the patch (some tests were failing):

https://patch-diff.githubusercontent.com/raw/transmission/transmission/pull/468.diff

On Thu, Jan 11, 2018 at 10:47 AM, Tavis Ormandy <taviso@...gle.com> wrote:

> Hello, the transmission bittorrent client uses a client/server
> architecture, the user interface is the client and a daemon runs in the
> background managing the downloading, seeding, etc.
>
> Clients interact with the daemon using JSON RPC requests to a web server
> listening on port 9091. The daemon will only accept requests from localhost
> by default, but it's common to configure NAS devices to accept remote
> clients.
>
> A sample RPC session looks like this:
>
> $ curl -sI http://localhost:9091/transmission/rpc
> HTTP/1.1 409 Conflict
> Server: Transmission
> X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX
> 1Ayl06AJwuhHvSgE6H
> Date: Wed, 29 Nov 2017 21:37:41 GMT
>
> $ curl -H 'X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H'
>  -d '{"method":"session-set","arguments":{"download-dir":"/home/user"}}'
> -si http://localhost:9091/transmission/rpc
> HTTP/1.1 200 OK
> Server: Transmission
> Content-Type: application/json; charset=UTF-8
> Date: Wed, 29 Nov 2017 21:38:57 GMT
> Content-Length: 36
>
> {"arguments":{},"result":"success"}
>
> As with all HTTP RPC schemes like this, any website can send requests to
> the daemon listening on localhost with XMLHttpRequest(), but the theory is
> they will be ignored because clients must prove they can read and set a
> specific header, X-Transmission-Session-Id.
>
> Unfortunately, this design doesn't work because of an attack called "DNS
> rebinding". Any website can simply create a dns name that they are
> authorized to communicate with, and then make it resolve to localhost.
>
> The attack works like this:
>
> 1. A user visits http://attacker.com, which has an <iframe> to a
> subdomain the attacker controls.
> 2. The attacker configures their DNS server to respond alternately with
> 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
> 3. When the browser resolves to 123.123.123.123, they serve HTML that
> waits for the DNS entry to expire (or force it to expire by flooding the
> cache with lookups), then they have permission to read and set headers.
>
> I have a domain I use for testing dns rebinding called rbndr.us, you can
> use this page to generate hostnames (source code is here:
> https://github.com/taviso/rbndr):
>
> https://lock.cmpxchg8b.com/rebinder.html
>
> Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use
> 7f000001.c7f11de3.rbndr.us:
>
> $ host 7f000001.c7f11de3.rbndr.us
> 7f000001.c7f11de3.rbndr.us has address 127.0.0.1
> $ host 7f000001.c7f11de3.rbndr.us
> 7f000001.c7f11de3.rbndr.us has address 199.241.29.227
> $ host 7f000001.c7f11de3.rbndr.us
> 7f000001.c7f11de3.rbndr.us has address 127.0.0.1
>
> Here you can see the resolution alternates between the two addresses I
> want (note that depending on caching it might take a while to switch, the
> TTL is set to minimum but some servers round up).
>
> I just wait for the cached response to expire, and then POST commands to
> the server.
>
> Exploitation is simple, you could set script-torrent-done-enabled and run
> any command, or set download-dir to /home/user/ and then upload a torrent
> for ".bashrc".
>
> Here is my (simple) demo, it's slow, but could be made very fast:
>
> http://lock.cmpxchg8b.com/Asoquu3e.html
>
> I've verified it works on Chrome and Firefox on Windows and Linux (I tried
> Fedora and Ubuntu), I expect other platforms and browsers are affected. There
> are screenshots of how the attack is supposed to look on the bug report
> here:
>
> https://github.com/transmission/transmission/pull/468
>
> Tavis.
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ