Bug 1134985 - (CVE-2017-12778) VUL-1: CVE-2017-12778: qbittorrent: vulnerable to Authentication Bypass of UI Lock feature
(CVE-2017-12778)
VUL-1: CVE-2017-12778: qbittorrent: vulnerable to Authentication Bypass of UI...
Status: RESOLVED FEATURE
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
https://smash.suse.de/issue/232449/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-14 09:02 UTC by Robert Frohl
Modified: 2019-05-16 10:49 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-05-14 09:02:13 UTC
CVE-2017-12778

The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to
Authentication Bypass, which allows Attack to gain unauthorized access to
qBittorrent functions by tampering the affected flag value of the config file at
the C:\Users\<username>\Roaming\qBittorrent pathname. The attacker must change
the value of the "locked" attribute to "false" within the "Locking" stanza.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12778
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12778.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12778
https://medium.com/@BaYinMin/cve-2017-12778-qbittorrent-ui-lock-authentication-bypass-30959ff55ada
http://archive.is/eF2GR
http://qbittorrent.com
Comment 1 Robert Frohl 2019-05-14 09:03:19 UTC
Only affects Leap 42.3, other versions have newer version.
Comment 2 Luigi Baldoni 2019-05-14 16:56:19 UTC
I can reproduce it with qbittorrent 4.1.0 on Leap 15.0.

Also I don't quite understand the point of this: unless this vulnerability is supposed to be triggered from another user or via network, shouldn't it be obvious that having access to ~/.config/qBittorrent.conf is all that is needed?
There's also a nice hashed password field that can be replaced to one's heart content.
Comment 3 Luigi Baldoni 2019-05-16 10:49:49 UTC
This is not a bug, it's a weak security implementation that won't be addressed unless upstream rewrites it.