Torrents are used worldwide by a plethora of users, both for legal as well as illegal activities. It is the most common peer-to-peer mode of file sharing, but that also means that there is no verification of data being transmitted. According to a recent study, Transmission, one of the best torrent clients out there, has been reported to be vulnerable to foreign hacks.
As reported by ArsTechnica, there happens to be a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users’ computers. Tavis Ormandy, a researcher working with Google’s Project Zero vulnerability reporting team, stated that there is a Transmission function that allows users to control the BitTorrent app with their Web browser.
According to Ormandy’s proof-of-attack, using a hacking technique known as domain name system rebinding, the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site. He states that his exploit works on popular web browsers such as Chrome and Firefox, and is applicable to both Windows and Linux.
As per his exploit, attackers can take control of users’ systems by creating a DNS name they are authorized to communicate with and then making it resolve to the localhost name of the vulnerable computer. In a separate post while publishing the patch for the same, Ormandy stated the attack takes place in the following manner:
- A user visits
http://attacker.com, which has an
<iframe>to a subdomain the attacker controls.
- The attacker configures their DNS server to respond alternately with
220.127.116.11(an address they control) with a very low TTL.
- When the browser resolves to
18.104.22.168, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.
Using the above exploit, the attacker can change the Torrent download directory to the user’s home directory and then make Transmission download a Torrent called “.bashrc” which would automatically be executed the next time the user opened a bash shell. Attackers also gain the ability to remotely configure Transmission to run any command of their choosing after a download has been completed.
Any vulnerability that is reported by Project Zero is usually withheld for a period of 90 days or until the developer has released a fix before going public. That being said, the researcher has disclosed the vulnerability just 40 days after the initial report, considering the fact that “Transmission developers are not responding on their private security list.” According to Ormandy, “I suggested moving this into the open so that distributions can apply the patch independently.”
While Ormandy understands that the threat is of “relatively low complexity”, he states that this is exactly the reason why he is eager to make sure everyone is patched.
In a response to ArsTechnica, a Transmission development official stated that he expected an official fix to be released “ASAP” but was not specific. According to him, the vulnerability was present only when users enabled remote access and disabled password protection.
As of now, there is no official word on when will Transmission be releasing an update for the fix. That being said, we recommend the readers to enable password protection using the inbuilt the JSON RPC interface. Also, according to reports, other BitTorrent clients are also vulnerable to the same hack, so we recommend users to use these torrent clients with caution, and not leave them running unattended.