Transmission bittorrent client working on patch for rce leak

The developers of the bittorrent client Transmission are working on a patch for an rce vulnerability found by a researcher at Google’s Project Zero. He demonstrated a malicious site attack on the client’s web interface.

Tavis Ormandy, the researcher who found the vulnerability, writes that a malicious website could allow an attacker to access a Transmission user’s web interface, which should only be reachable via localhost. Using a technique known as dns rebinding, Ormandy demonstrates that he can change Transmission settings and, for example, run a particular script once a torrent has been downloaded. In a published demo of the attack, the researcher reports that it takes about five minutes to complete. The attack is said to work in Chrome and Firefox on both Windows and Linux. The macOS version is also vulnerable, according to a tweaker.

The leak has since been labeled CVE-2018-5702 and the patch has been merged, according to Transmission’s GitHub page. It looks like the patch will be released in version 2.93 of the software. It is currently not available yet. A member of the development team tells Ars Technica that only users who use Transmission with remote access and without password protection are vulnerable.

Ormandy reports that he sent the developers a patch on December 1, but it still hadn’t been applied last week. He expresses frustration at this taking so long, saying that open source projects often take hours to apply a patch, not months. The researcher lets via Twitter know that he has also found rce leaks in other bittorrent clients, but these are not yet public, as Project Zero has a 90-day deadline.