Tavis Ormandy, an IT security researcher at Google’s Project Zero has identified a critical flaw in Transmission BitTorrent app that if exploited lets attackers take full control of a targeted computer on Linux or Windows operating system.
Ormandy warned that the flaw (CVE-2018-5702) is present in Transmission Function that allows attackers to control the BitTorrent app through their web browser and other BitTorrent clients can also be their prime target.
The proof of concept published by Ormandy explains that the flaw currently works on computers running Chrome and FireFox browsers on Linux and Windows operating system. However, there are chances that the flaw might also work on other platforms such as macOS browsers if the user has enabled remote access.
Furthermore, the PoC explains, since a number of users use this function without any password, an attacker can compromise a device using domain name system (DNS) rebinding method and take control of it remotely. This explains that those who do not use this feature with a password are the prime targets of this flaw.
Moreover, the flaw allows attackers to change the download directory of torrents and use Transmission to run commands once the app finishes downloading. In a Tweet, Ormandy explained that the flaw is the “first of a few remote code execution flaws in various popular torrent clients”.
First of a few remote code execution flaws in various popular torrent clients, here is a DNS rebinding vulnerability Transmission, resulting in arbitrary remote code execution. https://t.co/kAv9eWfXlG
— Tavis Ormandy (@taviso) January 11, 2018
No response from Transmission
Google’s Project Zero and Ormandy reported their findings to Transmission on November 30th, 2017 but the company not only ignored the report, it did not bother to reply to Google for more than a month even though Ormandy’ sent his findings with the patch. This forced the researchers to go public with their findings and hopefully Transmission will learn a lesson.
“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy said.
If you download Torrents your device can be vulnerable to this attack, therefore, be vigilant and disable remote access feature for now. Technical details on the flaw are available on Github.
Not for the first time
This is not the first time when Transmission is in the news for all the wrong reasons. Previously, the BitTorrent Client was caught dropping Keydnap
Top, featured image via DepositPhotos/Pixinooo