Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Jan 2018 10:47:38 -0800
From: Tavis Ormandy <>
Subject: transmission: rpc session-id mechanism design flaw results in RCE

Hello, the transmission bittorrent client uses a client/server
architecture, the user interface is the client and a daemon runs in the
background managing the downloading, seeding, etc.

Clients interact with the daemon using JSON RPC requests to a web server
listening on port 9091. The daemon will only accept requests from localhost
by default, but it's common to configure NAS devices to accept remote

A sample RPC session looks like this:

$ curl -sI http://localhost:9091/transmission/rpc
HTTP/1.1 409 Conflict
Server: Transmission
X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H
Date: Wed, 29 Nov 2017 21:37:41 GMT

$ curl -H 'X-Transmission-Session-Id:
JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H'  -d
'{"method":"session-set","arguments":{"download-dir":"/home/user"}}' -si
HTTP/1.1 200 OK
Server: Transmission
Content-Type: application/json; charset=UTF-8
Date: Wed, 29 Nov 2017 21:38:57 GMT
Content-Length: 36


As with all HTTP RPC schemes like this, any website can send requests to
the daemon listening on localhost with XMLHttpRequest(), but the theory is
they will be ignored because clients must prove they can read and set a
specific header, X-Transmission-Session-Id.

Unfortunately, this design doesn't work because of an attack called "DNS
rebinding". Any website can simply create a dns name that they are
authorized to communicate with, and then make it resolve to localhost.

The attack works like this:

1. A user visits, which has an <iframe> to a subdomain
the attacker controls.
2. The attacker configures their DNS server to respond alternately with and (an address they control) with a very low TTL.
3. When the browser resolves to, they serve HTML that waits
for the DNS entry to expire (or force it to expire by flooding the cache
with lookups), then they have permission to read and set headers.

I have a domain I use for testing dns rebinding called, you can
use this page to generate hostnames (source code is here:

Here I want to alternate between and, so I use

$ host has address
$ host has address
$ host has address

Here you can see the resolution alternates between the two addresses I want
(note that depending on caching it might take a while to switch, the TTL is
set to minimum but some servers round up).

I just wait for the cached response to expire, and then POST commands to
the server.

Exploitation is simple, you could set script-torrent-done-enabled and run
any command, or set download-dir to /home/user/ and then upload a torrent
for ".bashrc".

Here is my (simple) demo, it's slow, but could be made very fast:

I've verified it works on Chrome and Firefox on Windows and Linux (I tried
Fedora and Ubuntu), I expect other platforms and browsers are affected. There
are screenshots of how the attack is supposed to look on the bug report


Content of type "text/html" skipped

View attachment "0001-mitigate-dns-rebinding-attacks.patch" of type "text/x-patch" (10374 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.