If you download content through the popular Transmission BitTorrent client, take a closer look at its security settings: a critical vulnerability has been detected by Google’s Project Zero reporting team.
According to the report published Tuesday, the flaw lets hackers execute malicious code and gain remote control of user PCs through their web browsers.
40 days after the report, because developers in charge of fixing the flaw didn’t apply the patch from Google researchers, researcher Tavis Ormandy posted a proof-of-concept attack based on a hacking technique called DNS rebinding.
“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy’s report says.
“The attack works like this:
- A user visits http://attacker.com.
- attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 184.108.40.206 (an address they control) with a very low TTL.
- When the browser resolves to 220.127.116.11, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.”
The app is based on a server-client architecture. To download content, users install a daemon service locally and then go to a web-based interface.
“I regularly encounter users who do not accept that websites can access services on localhost or their intranet,” Ormandy wrote.
“These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website “transfers” execution somewhere else. It does not work like that, but this is a common source of confusion.”
Ormandy tested his demo on Chrome and Firefox on Windows and Linux, but believes other platforms and browsers are vulnerable.