Open source software security

Transmission XSS Vulnerabilities

27 July 2012

Vulnerability Report

Author: Justin C. Klein Keane
Reported: July 19, 2012

CVE: CVE-2012-4037
OSVDB: 84242

Description of Vulnerability

Transmission (http://www.transmissionbt.com) is a popular, cross platform, open source BitTorrent client. Transmission includes functionality to enable a web based display of the application. Unfortunately this web based client doesn't sanitize text from .torrent files that are loaded into the client resulting in an arbitrary script include (or cross site scripting (XSS)) vulnerability.

Impact

Clients loading a maliciously crafted .torrent file into Transmission and viewing the web client could be subject to arbitrary script injection, allowing an attacker to run arbitrary code in the context of the victim's web browser. This could lead to privacy compromises (such as if the script "phoned home" to another URL with client information) or client side attacks (such as drive by downloads).

Systems affected

Transmission 2.50 on Fedora 17 was tested and shown to be vulnerable, but Transmission is a cross platform tool so it is possible versions for other operating systems (such as Mac, Windows, and other Linux) are vulnerable as well.

Mitigating factors

The information displayed via the Transmission web client is loaded via AJAX calls and is entirely event driven. This means malicious scripts must be crafted to exploit the way in which content is dynamically rendered. This presents some barrier, but is easy bypassed by injecting event driven elements in the display. Malicious script elements in the torrent name are easily visible via the desktop client, but malicious elements in the 'created by' or 'comments' elements are more difficult for end users to detect.

Proof of Concept Exploit

  1. Create a malicious torrent file (Example below) that includes arbitrary script elements in the name, comment, or authored by elements.
  2. Install and start up the Transmission client
  3. In Transmission select Edit->Preferences then click the 'Web' tab
  4. Check the 'Enable web client'
  5. Open a web browser and navigate to the web based client
  6. Click the 'Open Torrent' icon in the upper left and select the malicious file from step #1
  7. Highlight the torrent and click the 'Toggle Inspector' icon in the upper left.
  8. Mouse over the "Mouse over me" sections in the information pane to view the rendered JavaScript alert boxes.

Vendor Response

Upgrade to Transmission 2.61 or later.

Sample Malicious Torrent:

d8:announce24:http://www.madirish.net/7:comment63:<div onmouseover="javascript:alert('xss');">Mouse over me</div>10:created by63:<div onmouseover="javascript:alert('xss');">Mouse over me</div>13:creation datei1342553922e8:encoding5:UTF-84:infod6:lengthi323584e4:name44:appsec.ppt<script>alert('namexss');</script>12:piece lengthi32768e6:pieces200:°åeì<î?ú[??9j?ıQ?z4ï