moosethemucha
Dabbler
- Joined
- Feb 25, 2017
- Messages
- 33
Not sure if this is right place for this but I thought it would be a good idea to put this here; as i think alot of people are running some sort of torrent client. They haven't released any other info on what other torrent cliuents are affeevcted but it seems to be an issue for most of them.
Now I'm not sure this will affect openbsd but Im pretty sure it will, as the attack is simply using the transmission code base and nothing else - I'm in the process of a PoC on openbsd/freenas.
Looking at the port it uses an outdated version of transmission 2.92 found in the releases of transmission
http://cvsweb.openbsd.org/cgi-bin/c...e?rev=1.122&content-type=text/x-cvsweb-markup
Specifically the line
Which from my understanding isn't patched.
What I'm going to try and do is recomile the latest version with the patch enabled and see if i can install it - this is goign to be difficult for me as im a Linux guy and not very familiar on how to go about this. What I'm hoping is to create a tar and then point that MAKEFILE to it. I'll see how I go.
Anyone who wants to help feel free. This a massive hole in my system and I've currently have transmission turned of.
Currently there is CVE but I will update once I know more.
Some links
Original Bug Thread - with some PoC's
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
Github pull request and mitigation
https://github.com/transmission/transmission/pull/468
BSD port page
http://openports.se/net/transmission
Tweet/discovery
https://twitter.com/taviso/status/951526615145566208
Now I'm not sure this will affect openbsd but Im pretty sure it will, as the attack is simply using the transmission code base and nothing else - I'm in the process of a PoC on openbsd/freenas.
Looking at the port it uses an outdated version of transmission 2.92 found in the releases of transmission
http://cvsweb.openbsd.org/cgi-bin/c...e?rev=1.122&content-type=text/x-cvsweb-markup
Specifically the line
Code:
MASTER_SITES= https://github.com/transmission/transmission-releases/raw/master/ EXTRACT_SUFX= .tar.xz
Which from my understanding isn't patched.
What I'm going to try and do is recomile the latest version with the patch enabled and see if i can install it - this is goign to be difficult for me as im a Linux guy and not very familiar on how to go about this. What I'm hoping is to create a tar and then point that MAKEFILE to it. I'll see how I go.
Anyone who wants to help feel free. This a massive hole in my system and I've currently have transmission turned of.
Currently there is CVE but I will update once I know more.
Some links
Original Bug Thread - with some PoC's
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447
Github pull request and mitigation
https://github.com/transmission/transmission/pull/468
BSD port page
http://openports.se/net/transmission
Tweet/discovery
https://twitter.com/taviso/status/951526615145566208