** Changed in: hardy-backports
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to transmission in Ubuntu.
https://bugs.launchpad.net/bugs/500625
Title:
Local file overwriting due to directory traversal
Status in Hardy Backports:
Won't Fix
Status in transmission package in Ubuntu:
Fix Released
Status in transmission source package in Lucid:
Fix Released
Status in transmission source package in Hardy:
Fix Released
Status in transmission source package in Intrepid:
Fix Released
Status in transmission source package in Jaunty:
Fix Released
Status in transmission source package in Karmic:
Fix Released
Bug description:
Binary package hint: transmission
I've discovered a design flaw in the Transmission BitTorrent client
that I would consider to be a security vulnerability. The
Transmission client permits arbitrary characters in the names of files
included in torrents, including characters that allow directory
traversal (such as "../"). In addition, the client does not prompt
the user before overwriting existing files with the same name as a
file that is to be downloaded via torrent.
An attacker can create a malicious torrent file containing a file
named specifically to overwrite important files on disk. For example,
"../.ssh/authorized_keys" could be provided as a filename included in
a torrent, and Transmission will download the provided file and store
it at that location (assuming the default download location of
~/Desktop), overwriting the preexisting keys file and potentially
giving an attacker SSH access to the victim's machine. If the user
happens to be running Transmission as root (who knows?), the
possibilities are even scarier.
I have confirmed this behavior with a simple proof-of-concept torrent
and text file, which I've attached. To confirm behavior, download the
EVIL text file (which is just a sentence of text), and open the
attached .torrent file in a child directory. For example, if EVIL is
in "~/", open the .torrent from "~/Desktop". The torrent should begin
seeding. From another machine, create a blank file (or any file,
really) called EVIL at some location. This file represents an
existing file on disk, and presumably wouldn't be called "EVIL" in a
real situation. Note its contents, and open the .torrent file at a
child directory, just as before. Once the download starts, you should
note that the EVIL file in the parent directory has been overwritten
with the contents of the torrent's EVIL file.
Clearly, the desired behavior is to download files into the current
directory, not permitting any directory traversal, and perhaps
prompting the user before overwriting existing data. This could be
easily fixed by stripping ".." from incoming file names.
Although this attack requires a victim to open a malicious torrent
file, because it does not require the victim to actually execute
malicious code I would still consider it a security problem. Torrents
are very widespread, and it would be trivial to host a malicious
torrent containing legitimate files alongside files designed to
compromise a victim's system. The fact that an attacker would have
immediate knowledge of compromised victims via the torrent is
especially dangerous.
I confirmed this behavior in Transmission 1.75 on Karmic, using both
the GTK interface and transmission-cli.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hardy-backports/+bug/500625/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
