Bug 1075921 - (CVE-2018-5702) VUL-0: CVE-2018-5702: transmission: security update
(CVE-2018-5702)
VUL-0: CVE-2018-5702: transmission: security update
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 15.0
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/198289/
CVSSv3:RedHat:CVE-2018-5702:8.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-15 06:12 UTC by Marcus Meissner
Modified: 2020-01-16 13:19 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-mitigate-dns-rebinding-attacks.patch (10.13 KB, patch)
2018-01-15 06:13 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-01-15 06:12:42 UTC
via oss-sec

Hello, the transmission bittorrent client uses a client/server
architecture, the user interface is the client and a daemon runs in the
background managing the downloading, seeding, etc.

Clients interact with the daemon using JSON RPC requests to a web server
listening on port 9091. The daemon will only accept requests from localhost
by default, but it's common to configure NAS devices to accept remote
clients.

A sample RPC session looks like this:

$ curl -sI http://localhost:9091/transmission/rpc
HTTP/1.1 409 Conflict
Server: Transmission
X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H
Date: Wed, 29 Nov 2017 21:37:41 GMT

$ curl -H 'X-Transmission-Session-Id:
JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H'  -d
'{"method":"session-set","arguments":{"download-dir":"/home/user"}}' -si
http://localhost:9091/transmission/rpc
HTTP/1.1 200 OK
Server: Transmission
Content-Type: application/json; charset=UTF-8
Date: Wed, 29 Nov 2017 21:38:57 GMT
Content-Length: 36

{"arguments":{},"result":"success"}

As with all HTTP RPC schemes like this, any website can send requests to
the daemon listening on localhost with XMLHttpRequest(), but the theory is
they will be ignored because clients must prove they can read and set a
specific header, X-Transmission-Session-Id.

Unfortunately, this design doesn't work because of an attack called "DNS
rebinding". Any website can simply create a dns name that they are
authorized to communicate with, and then make it resolve to localhost.

The attack works like this:

1. A user visits http://attacker.com, which has an <iframe> to a subdomain
the attacker controls.
2. The attacker configures their DNS server to respond alternately with
127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
3. When the browser resolves to 123.123.123.123, they serve HTML that waits
for the DNS entry to expire (or force it to expire by flooding the cache
with lookups), then they have permission to read and set headers.

I have a domain I use for testing dns rebinding called rbndr.us, you can
use this page to generate hostnames (source code is here:
https://github.com/taviso/rbndr):

https://lock.cmpxchg8b.com/rebinder.html

Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use
7f000001.c7f11de3.rbndr.us:

$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 199.241.29.227
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1

Here you can see the resolution alternates between the two addresses I want
(note that depending on caching it might take a while to switch, the TTL is
set to minimum but some servers round up).

I just wait for the cached response to expire, and then POST commands to
the server.

Exploitation is simple, you could set script-torrent-done-enabled and run
any command, or set download-dir to /home/user/ and then upload a torrent
for ".bashrc".

Here is my (simple) demo, it's slow, but could be made very fast:

http://lock.cmpxchg8b.com/Asoquu3e.html

I've verified it works on Chrome and Firefox on Windows and Linux (I tried
Fedora and Ubuntu), I expect other platforms and browsers are affected. There
are screenshots of how the attack is supposed to look on the bug report
here:

https://github.com/transmission/transmission/pull/468

Tavis.
Comment 1 Marcus Meissner 2018-01-15 06:13:42 UTC
Created attachment 756007 [details]
0001-mitigate-dns-rebinding-attacks.patch

patch attached to mnail
Comment 2 Marcus Meissner 2018-01-15 06:14:13 UTC
Here is an updated version of the patch (some tests were failing):                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                            
https://patch-diff.githubusercontent.com/raw/transmission/transmission/pull/468.diff
Comment 3 Swamp Workflow Management 2018-01-18 15:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1075921) was mentioned in
https://build.opensuse.org/request/show/567445 Factory / transmission
Comment 4 Tomáš Chvátal 2019-07-11 11:24:35 UTC
This is automated batch bugzilla cleanup.

The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please
feel free to reopen this bug against that version (!you must update the
"Version" component in the bug fields, do not just reopen please), or
alternatively create a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime
Comment 5 Marcus Meissner 2019-07-11 12:32:56 UTC
looks still unfixed in 15.0.
Comment 6 Alexandros Toptsoglou 2020-01-16 13:19:53 UTC
Leap ships version 2.94 which is not affected by this issue. Closing