CVE-2018-5702 in transmission
Summary
by MITRE
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2025
The vulnerability identified as CVE-2018-5702 affects Transmission 2.92 and represents a critical access control flaw that enables remote code execution through improper session management and header validation. This vulnerability stems from Transmission's reliance on the X-Transmission-Session-Id header for access control purposes, a design decision that creates a significant security gap in the application's authentication mechanism. The flaw specifically manifests in the RPC endpoint at /transmission/rpc where the application accepts this header without proper validation, allowing attackers to bypass authentication mechanisms through crafted POST requests.
The technical exploitation of this vulnerability involves a sophisticated attack chain that combines session header manipulation with DNS rebinding techniques. Attackers can construct malicious POST requests to the RPC endpoint while simultaneously leveraging DNS rebinding to circumvent the browser's same-origin policy restrictions. This dual approach enables the attacker to execute arbitrary RPC commands against the Transmission daemon, which operates with elevated privileges. The vulnerability essentially allows an unauthenticated attacker to perform administrative operations on the Transmission service, including file system modifications, which can lead to complete system compromise.
The operational impact of CVE-2018-5702 extends beyond simple unauthorized access, as it provides attackers with the ability to write arbitrary files to the system where Transmission is running. This capability can be leveraged to install malicious software, modify configuration files, or establish persistence mechanisms within the affected environment. The vulnerability affects systems where Transmission is exposed to untrusted networks or the internet, making it particularly dangerous for home users who may have Transmission configured to accept remote connections. The attack requires minimal privileges to execute successfully, as the application does not properly validate the session identifier's authenticity or origin, creating a direct path for privilege escalation.
Security professionals should note that this vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and represents a classic example of insufficient session management. The ATT&CK framework categorizes this vulnerability under privilege escalation and execution techniques, specifically targeting the use of legitimate system tools for unauthorized operations. Organizations should immediately apply the vendor-provided patch that addresses the session header validation issue and implement network segmentation to restrict access to Transmission's RPC endpoint. Additional mitigations include configuring Transmission to only accept connections from trusted networks, disabling remote RPC access where possible, and implementing proper firewall rules to restrict access to the RPC endpoint. The vulnerability demonstrates the critical importance of proper header validation and session management in web applications, particularly when dealing with administrative functions that can affect the underlying system.