uTorrent Web HTTP RPC Server privileges management

Summaryinfo

A vulnerability marked as critical has been reported in uTorrent Web. This affects an unknown function of the component HTTP RPC Server. This manipulation causes privileges management. This vulnerability appears as CVE-2018-25040. The attack may be initiated remotely. In addition, an exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in uTorrent Web (Peer-to-Peer Software) (the affected version is unknown). It has been declared as critical. Affected by this vulnerability is an unknown code of the component HTTP RPC Server. The manipulation with an unknown input leads to a privileges management vulnerability. The CWE definition for the vulnerability is CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was presented 01/31/2018 by Tavis Ormandy (taviso) as confirmed bug report (Website). It is possible to read the advisory at bugs.chromium.org. The public release was coordinated in cooperation with uTorrent. This vulnerability is known as CVE-2018-25040. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. The advisory points out:

As the name suggests, uTorrent Web uses a web interface and is controlled by a browser as opposed to the desktop application. By default, uTorrent web is configured to startup with Windows, so will always be running and accessible. For authentication, a random token is generated and stored in a configuration file which must be passed as a URL parameter with all requests.

A public exploit has been developed by Tavis Ormandy (taviso) and been published immediately after the advisory. It is possible to download the exploit at bugs.chromium.org. It is declared as functional. The code used by the exploit is:

$ curl -si http://localhost:19575/users.conf
HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 19:46:44 GMT
Last-Modified: Wed, 31 Jan 2018 19:37:50 GMT
Etag: "5a721b0e.92"
Content-Type: text/plain
Content-Length: 92
Connection: close
Accept-Ranges: bytes

localapi29c802274dc61fb4        bc676961df0f684b13adae450a57a91cd3d92c03        94bc897965398c8a07ff    2       1

While not a particularly strong secret (8 bytes of std::random_device), it at least would make remote attacks non-trivial. Unfortunately however, the authentication secret is stored inside the webroot (wtf!?!?!?!), so you can just fetch the secret and gain complete control of the service. This requires some simple dns rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable.

Upgrading eliminates this vulnerability.Proper firewalling of tcp/19575 is able to address this issue. The best possible mitigation is suggested to be upgrading to the latest version.

Additional details are provided at scmagazineuk.com. See VDB-113804, VDB-113805, VDB-113806 and VDB-113807 for similar entries. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Peer-to-Peer Software

Vendor

• uTorrent

Name

• Web

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion