Rasterbar libtorrent arbitrary file overwrite vulnerability Jun 08 2009 05:43PM
Dimitris Glynos (dimitris census-labs com)
'libtorrent' is an open-source C++ bittorrent library by Rasterbar
Software that is used in many desktop applications and embedded devices.
Popular BitTorrent clients that use this library are 'firetorrent',
'qBittorrent' and 'deluge Torrent'. For a more comprehensive list
of libtorrent-based applications, see [1].

I have discovered an 'arbitrary file overwrite' vulnerability in
libtorrent that allows an attacker to create and modify arbitrary files
(and directories) with the effective rights of the user executing
the vulnerable libtorrent-based application.

libtorrent (up to and including version 0.14.3) employs an insufficient
path sanitization method that allows the formulation of relative paths
from the path elements found in .torrent files. Specifically, this
applies to .torrent files that describe multiple files (see
"Multiple File Mode" [2]). An adversary could use such relative paths,
in a specially crafted .torrent file, to replace or create files in
vulnerable systems.

See [3] for more information regarding the nature of this vulnerability.

The maintainer of libtorrent has been contacted and a new version (0.14.4)
of the library that fixes this issue has been released [4],[5]. All
affected parties are advised to upgrade to the latest release.

The Common Vulnerabilities and Exposures (CVE) project has assigned
the candidate name CVE-2009-1760 to this issue.

Vendor notification date: May 27th, 2009
Vendor acknowledgement date: May 28th, 2009
Vendor bugfix release date: June 1st, 2009
Public disclosure date: June 8th, 2009

With kind regards,

Dimitris Glynos
http://census-labs.com / IT security research, development and services

[1] http://www.rasterbar.com/products/libtorrent/projects.html
[2] http://wiki.theory.org/BitTorrentSpecification#Info_in_Multiple_File_Mod
[3] http://census-labs.com/news/2009/06/08/libtorrent-rasterbar
[4] http://sf.net/project/shownotes.php?group_id=79942&release_id=686456
[5] http://sf.net/project/showfiles.php?group_id=79942

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus