DNS rebinding attacks against transmission daemon

[moosethemucha]

Not sure if this is right place for this but I thought it would be a good idea to put this here; as i think alot of people are running some sort of torrent client. They haven't released any other info on what other torrent cliuents are affeevcted but it seems to be an issue for most of them.

Now I'm not sure this will affect openbsd but Im pretty sure it will, as the attack is simply using the transmission code base and nothing else - I'm in the process of a PoC on openbsd/freenas.

Looking at the port it uses an outdated version of transmission 2.92 found in the releases of transmission

http://cvsweb.openbsd.org/cgi-bin/c...e?rev=1.122&content-type=text/x-cvsweb-markup

Specifically the line

Code:

MASTER_SITES=	https://github.com/transmission/transmission-releases/raw/master/
EXTRACT_SUFX=	.tar.xz

Which from my understanding isn't patched.

What I'm going to try and do is recomile the latest version with the patch enabled and see if i can install it - this is goign to be difficult for me as im a Linux guy and not very familiar on how to go about this. What I'm hoping is to create a tar and then point that MAKEFILE to it. I'll see how I go.

Anyone who wants to help feel free. This a massive hole in my system and I've currently have transmission turned of.

Currently there is CVE but I will update once I know more.
Some links

Original Bug Thread - with some PoC's
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447

Github pull request and mitigation
https://github.com/transmission/transmission/pull/468

BSD port page
http://openports.se/net/transmission

Tweet/discovery
https://twitter.com/taviso/status/951526615145566208

 

[Ericloewe]

Now I'm not sure this will affect openbsd but Im pretty sure it will, as the attack is simply using the transmission code base and nothing else - I'm in the process of a PoC on openbsd/freenas.

FreeNAS uses FreeBSD.

Hmm, remote code execution is nasty, even in a jail. This might interest the torrent crowd.

 

[Pentaflake]

Now I'm not sure this will affect openbsd but Im pretty sure it will, as the attack is simply using the transmission code base and nothing else - I'm in the process of a PoC on openbsd/freenas.

From the original bug thread with the recommended/suggested fixes to the transmission devs:

* If a connection is over the loopback interface, the hostname must match "localhost", "localhost.", "127.0.0.1", or "[::1]". This is the same list CUPS uses: https://github.com/apple/cups/blob/master/scheduler/client.c#L3752
* If a connection is not over loopback, allow any hostname iff auth is enabled.
* If a connection is not over loopback and auth is not enabled, require the user to create a whitelist of acceptable hostnames (They can specify * if they really really don't want security).

Meaning it can easily be mitigated by having RPC Authentication setup on your transmission server for access via RPC until the acceptable hostname whitelist option is made available on FreeBSD's version of transmission if you don't want to access keep auth on long term.

Additionally using a DNS Caching server such as unbound as your main DNS on the network/devices that have access to your transmission server can help as well as it has options to mitigate DNS rebinding attacks like this.

Code:

  # Enforce privacy of these addresses. Strips them away from answers.  It may
  # cause DNSSEC validation to additionally mark it as bogus.  Protects against
  # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' and
  # 'local-data' names are allowed to have these private addresses. No default.
    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8