Local file overwriting due to directory traversal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Hardy Backports |
Won't Fix
|
Medium
|
Unassigned | ||
transmission (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Hardy |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Intrepid |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Jaunty |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Karmic |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Lucid |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
Binary package hint: transmission
I've discovered a design flaw in the Transmission BitTorrent client that I would consider to be a security vulnerability. The Transmission client permits arbitrary characters in the names of files included in torrents, including characters that allow directory traversal (such as "../"). In addition, the client does not prompt the user before overwriting existing files with the same name as a file that is to be downloaded via torrent.
An attacker can create a malicious torrent file containing a file named specifically to overwrite important files on disk. For example, "../.ssh/
I have confirmed this behavior with a simple proof-of-concept torrent and text file, which I've attached. To confirm behavior, download the EVIL text file (which is just a sentence of text), and open the attached .torrent file in a child directory. For example, if EVIL is in "~/", open the .torrent from "~/Desktop". The torrent should begin seeding. From another machine, create a blank file (or any file, really) called EVIL at some location. This file represents an existing file on disk, and presumably wouldn't be called "EVIL" in a real situation. Note its contents, and open the .torrent file at a child directory, just as before. Once the download starts, you should note that the EVIL file in the parent directory has been overwritten with the contents of the torrent's EVIL file.
Clearly, the desired behavior is to download files into the current directory, not permitting any directory traversal, and perhaps prompting the user before overwriting existing data. This could be easily fixed by stripping ".." from incoming file names.
Although this attack requires a victim to open a malicious torrent file, because it does not require the victim to actually execute malicious code I would still consider it a security problem. Torrents are very widespread, and it would be trivial to host a malicious torrent containing legitimate files alongside files designed to compromise a victim's system. The fact that an attacker would have immediate knowledge of compromised victims via the torrent is especially dangerous.
I confirmed this behavior in Transmission 1.75 on Karmic, using both the GTK interface and transmission-cli.
Related branches
CVE References
Changed in transmission (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in transmission (Ubuntu Jaunty): | |
status: | New → In Progress |
Changed in transmission (Ubuntu Karmic): | |
status: | New → In Progress |
Changed in transmission (Ubuntu Jaunty): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in transmission (Ubuntu Karmic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in transmission (Ubuntu Intrepid): | |
importance: | Undecided → Medium |
Changed in hardy-backports: | |
status: | Triaged → Won't Fix |
Dan, thanks very much for the sample .torrent file. I'm travelling over Christmas at the moment but will test out the evil torrent ASAP and if it works as advertised I'll try to get a patch done in the next day or two and upload it when I get online next.