“Low complexity” hack for Transmission Bittorrent client may work against other clients

General support for problems installing or using Deluge
Post Reply
Some1
New User
New User
Posts: 1
Joined: Tue Jan 16, 2018 4:56 am

“Low complexity” hack for Transmission Bittorrent client may work against other clients

Post by Some1 »

FYI: https://arstechnica.com/information-tec ... -computer/
There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.
SecurityAware
New User
New User
Posts: 1
Joined: Thu Jan 18, 2018 9:52 pm

Re: “Low complexity” hack for Transmission Bittorrent client may work against other clients

Post by SecurityAware »

I saw that too and immediately thought of Deluge.

My understanding of the attack is that, because the browser both faces the Internet and the local loopback, a website hosting malicious code could use the browser as a pivot and obtain arbitrary remote communication with otherwise non-internet facing network applications. (Which, right away, ought to make the security implications self evident.)

My understanding of Deluge is that, even in the default install configuration, the [daemon]<->[client] model still exists, but uses a form of authentication to protect it. On Windows, the authentication credentials can be found under "...\AppData\Roaming\deluge" as an "Auth" file. In that file, you will find an entry that looks something like "localclient:<40_CHARS_OF_HEX> 10" which is the username/pass for the daemon for local loopback. The <40_CHARS_OF_HEX> is the password which, I believe, is pseudorandomly/cryptographically generated, so should not be knowable by an attacker.

If my above understanding is 100% correct, then Deluge should not be vulnerable to the mentioned attack. Do not take my word for it. Do correct me if I'm wrong!

...

I'm getting a bit tangential, but ...

I, myself, am more concerned about the possibly outdated libtorrent (v1.0.11) included in the latest Deluge (1.3.15), and the associated DoS vulnerabilities that have been found in libtorrent versions since. It is unclear (to me) if the currently deployed patch version applies the fixes that are in the later minor versions of libtorrent, or if such fixes are even valid for 1.0.x versions of libtorrent, or if such issues are something to worry about at all. (It's not exactly remote code execution)

libtorrent 1.0.11 was released Feb 4, 2017, and both these security vulnerabilities were disclosed after that. The oldest of which links to a closed issue where it's asserted in the comments that this should be applied to "the 1.0.x series" but, again, no release newer than the vulnerability disclosure exists. However, note that it is very usual for disclosure to work such that the devs have been warned first, giving ample time to patch and deploy well before the vulnerability is made public. The issue is... there is no mention of when/if these were patched for 1.0.x series that I can find.

To be fair, this is libtorrent's fault for not mentioning those vulnerabilities in the patch notes, or (deity forbid) not actually patching 1.0.x series for those that use it. Problem is, $h!T runs downhill, but complaints run up. Deluge devs will be the first to get screamed at, when the onus is really on libetorrent devs.

Bottom line, someone should thoroughly check all of these things and report back; leaving publicly known vulnerabilities unpatched for internet facing programs is never acceptable and always brings the worst kind of criticism. Not making it clear how/when/where these issues have been fixed doesn't instill confidence either.
Post Reply