FreeBSD: VID-3E5B8BD3-0C32-452F-A60E-BEAB7B762351: transmission-daemon -- vulnerable to dns rebinding attacks
Description
Google Project Zero reports:
The transmission bittorrent client uses a client/server
architecture, the user interface is the client which communicates
to the worker daemon using JSON RPC requests.
As with all HTTP RPC schemes like this, any website can send
requests to the daemon listening on localhost with XMLHttpRequest(),
but the theory is they will be ignored because clients must prove
they can read and set a specific header, X-Transmission-Session-Id.
Unfortunately, this design doesn't work because of an attack called
"DNS rebinding". Any website can simply create a dns name that they
are authorized to communicate with, and then make it resolve to
localhost.
Exploitation is simple, you could set script-torrent-done-enabled
and run any command, or set download-dir to /home/user/ and then
upload a torrent for .bashrc.
Solution(s)
- freebsd-upgrade-package-transmission-daemon
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center