Detections
Analytics

FreeBSD : transmission-daemon -- vulnerable to dns rebinding attacks (3e5b8bd3-0c32-452f-a60e-beab7b762351)

high Nessus Plugin ID 106037

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Google Project Zero reports :

The transmission bittorrent client uses a client/server architecture, the user interface is the client which communicates to the worker daemon using JSON RPC requests.

As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on localhost with XMLHttpRequest(), but the theory is they will be ignored because clients must prove they can read and set a specific header, X-Transmission-Session-Id.
Unfortunately, this design doesn't work because of an attack called 'DNS rebinding'. Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

Exploitation is simple, you could set script-torrent-done-enabled and run any command, or set download-dir to /home/user/ and then upload a torrent for .bashrc.

Solution

Update the affected package.

See Also

https://bugs.chromium.org/p/project-zero/issues/detail?id=1447

https://github.com/transmission/transmission/pull/468

http://www.nessus.org/u?38701b75

Plugin Details

Severity: High

ID: 106037

File Name: freebsd_pkg_3e5b8bd30c32452fa60ebeab7b762351.nasl

Version: 1.2

Type: local

Published: 1/15/2018

Updated: 11/10/2018

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:transmission-daemon, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/14/2018

Vulnerability Publication Date: 11/30/2017