Private BitTorrent Trackers Under Threat From Major Exploit

Written by enigmax on April 18, 2008

Thousands of private BitTorrent trackers using the popular TBDev code are vulnerable to hostile takeover. According to a security researcher, a successful execution of the exploit could result in the attacker gaining admin rights to the tracker. However, knowledge and a little care can mitigate the effects.

The popular TBDev code on which thousands of private BitTorrent trackers are built, is said to be vulnerable to a major exploit. A successful attack could allow a malicious attacker to deface the main tracker page (index.php) and hijack the account of anyone who logs into the application. Worryingly it’s even possible to hijack an administrator’s account by using a social engineering attack to get them to click on specially crafted hyperlink, although most admins won’t be tricked by this method.

According to Michael Brooks, a security researcher who brought this issue to our attention, this particular TBDev exploit is down to the fact the developers didn’t protect the administrative interface from Cross Site Scripting attacks (XSS).

The attack uses CSRF in a chain with other flaws to obtain synergy - Michael calls this CSRF Bouncing.

“Unfortunately this Cross Site Scripting attack is accessible by an attacker using a Cross Site Request Forgery” Michael told TorrentFreak. “The Cross Site Scripting flaw is particularly valuable. The XSS payload is stored in the main index.php for the application. This means that an attacker can expose every visitor to their payload.”

Michael goes on: “The CSRF flaw is POST based so it does require the administrator to execute javascript. Finding the administrator account isn’t difficult if you have a user account on the system. Like with just about every SQL powered application the administrator is the first user account created. From this profile you will be able to send a personal message and you may even be able to obtain the admin’s email address.”

Worryingly, even if the attacker doesn’t have a user account, it’s possible to get one using an XSS flaw.

Michael explained how a malicious attacker increases his chances of a success with the exploit, by combining it with a little social engineering.

“In this case I am using the reflective XSS flaw to make it appear as though the administrator is viewing his own web application. The social engineering attack could look something like this: ‘I think there is a bug in your site. Can you check this link, it just does not look right http://localhost/redir.php?url=’ . This now means the flaw is no longer a “Cross Site” Request Forgery, because the request is being sent from the same website.”

After a successful attack it’s possible to deface the site and “hijack every user’s authentication token indefinitely”.

So what can be done to avoid this exploit? Michael told TorrentFreak:

“The most important thing to keep in mind is do not click on links that look like this. The link can be easily modified to be shorter, but the important part is avoiding links to TBDev’s /redir.php.”

exploit

“However this isn’t the only way that the flaw can be exploited. If you visit a website that the hacker controls then he can also trigger the attack. If you think you might have clicked on a bad link, change your password immediately.”

So what should an admin do if they already fell victim to the exploit?

“To remove the persistent XSS payload the administrator might have to login to the SQL server manually and delete the offending entry in the “news” table (since they won’t be able to use the web application to delete the news posting) using DELETE FROM news WHERE body LIKE ‘%fromCharCode%’.

The difficult part is that every user will have to change their password. In PHP I suggest defending against XSS using htmlspecialchars($var,ENT_QUOTES); . There are cases where XSS can still be possible without ENT_QUOTES. To defend against CSRF i suggest using PHP CSRF Guard.”

An administrator on a TBDev tracker we spoke with suggested a very quick fix off the top of his head:

in news.php change

$body = $_POST["body"];

to

$body = htmlspecialchars($_POST["body"],ENT_QUOTES);

We put this to Michael who told us: “The fix isn’t bad however the same fix also needs to be applied to $_GET["url"] in redir.php or the administrator account as well as others are subjected to hijack. There are other security problems with this application, but the XSS is the most serious as it leads to immediate attack.”

Earlier today TorrentFreak contacted a number of admins with details of the exploit. Michael tells us he has notified the relevant people of the flaw but it may take a few days until an official patch is made available.

The full details of the exploit are available here.

Saved in: DRM and Other Evil, P2P and Filesharing, Torrent Sites
Tags: bittorrent, exploit, private-tracker, tbdev

Previously: Pirate Bay Trial Star Witness Employed by Plaintiff

Next: Biohazard Bassist Blasts BitTorrent

Related Entries

62 Responses

1 Apr 18, 2008 at 19:30 by Rycon

Crazy haxxors..

2 Apr 18, 2008 at 19:30 by Anonymous

or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev

3 Apr 18, 2008 at 19:36 by fixxxxxxxed

thanks freaks!!

fixed my tracker in 2 mins!!

4 Apr 18, 2008 at 19:43 by George

OH MY GOD!

5 Apr 18, 2008 at 19:49 by troll

All the fuckwits on here (and everywhere else) spouting that private trackers are more secure, this just goes to show how little you know losers.

6 Apr 18, 2008 at 19:54 by mike jones

they r safer even with that prob prob can be fixed quick

7 Apr 18, 2008 at 19:56 by Anonymous

[quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?

8 Apr 18, 2008 at 20:10 by coolyou

yeah 8th

whatever noones gonna gwt caught

9 Apr 18, 2008 at 20:13 by h33t

good spot enigmax, thanks dude

10 Apr 18, 2008 at 20:19 by Anonymous

old news is old

11 Apr 18, 2008 at 20:42 by Anonymous

[QUOTE]An administrator on a TBDev tracker we spoke with suggested a very quick fix off the top of his head:
… crappy fix here…[/quote]
The exploit deals not with news.php, but with redir.php. If the attacker convinces the sysop to visit a certain url, it can do whatever he wants, including pretending to post a news item.

12 Apr 18, 2008 at 20:42 by punk

13 Apr 18, 2008 at 20:55 by James

WHY wouldn’t you escape something as important as that??? This is madness!

14 Apr 18, 2008 at 21:14 by ARS-ART

MADNESS!

15 Apr 18, 2008 at 21:39 by SirNull

Madness? THIS IS… oh nevermind.

16 Apr 18, 2008 at 22:15 by worship

ALL GLORY TO THE HYPNOTOAD!!!

17 Apr 18, 2008 at 22:31 by randomguy

HYPNOTOAD!!!HYPNOTOAD!!!HYPNOTOAD!!!HYPNOTOAD!!!HYPNOTOAD!!!HYPNOTOAD!!!

18 Apr 18, 2008 at 22:57 by Anony Mouse

Kinda funny, this has been fixed awhile back, and if sysops dun check new fixes, than whose fault is it?

Most sysops from tbdev have applied these patches. So yeah, this will work on the older scripts but not exclusive to tbdev, but to tbsource which most private trackers src originates from.

As u also notice, tbdev still support their code. Can u say as much for the other variants of tbsource code?

So this is a sysop issue. To check/make proper updates.

19 Apr 18, 2008 at 23:10 by Anonymous

[quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.

20 Apr 18, 2008 at 23:25 by a/s/l

[quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]

i believe it’s called trolling.

21 Apr 18, 2008 at 23:42 by Lee

thanks

http://www.mp3plz.com

Providing over 2 million mp3s yes free and no account needed

22 Apr 18, 2008 at 23:51 by Blaenk Denum

Enigmax, is this how Underground-Gamer got hacked? http://filesharefreak.com/2008/04/17/underground-gamer-hackedagain/

23 Apr 19, 2008 at 00:10 by uberfu

Interesting!

Pirating from the Pirates!

24 Apr 19, 2008 at 00:39 by john

old news, this only applies on the older version

25 Apr 19, 2008 at 00:56 by Anonymous

[quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

no not kidding. gazelle obviously a horrible attempt at a web 2.0 application. and it is only a matter of time before it is exploited to high hell. oh wait, there already has been an exploit for it.

26 Apr 19, 2008 at 01:34 by !

[quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

no not kidding. gazelle obviously a horrible attempt at a web 2.0 application. and it is only a matter of time before it is exploited to high hell. oh wait, there already has been an exploit for it.[/quote]

It’s been in public beta for what, twelve hours?

27 Apr 19, 2008 at 05:01 by TV

This is an OLD hack - very old and most private trackers have known about it for 2 years. But I guess re-hashing old news stories makes it new news for the n00bs. At least it’s not stupid news like when TF made that list of private sites recently and then showed the invite hammer script that basically ddoses a site that NEVER will be open for signups. This is why many sites are now losing faith in TF lately.

28 Apr 19, 2008 at 06:24 by Anonymous

[quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

29 Apr 19, 2008 at 08:47 by Stompin'onyoblackface

Wow.

30 Apr 19, 2008 at 10:05 by SceneNotice

http://www.SceneNotice.com

ROFL, imma troll tooz

31 Apr 19, 2008 at 10:14 by Anonymous

[quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

32 Apr 19, 2008 at 15:08 by LONG_cat

ZOMG!!! WHAT HAS SCIENCE DONE!!!!

33 Apr 19, 2008 at 15:19 by Phil

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

34 Apr 19, 2008 at 15:21 by Phil

[quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

Also, the code is in “public beta” I assume you don’t know what that means, but it’s still BETA - that means there are still bugs! It’s in beta so that it can be tested to make it safe when the source code is released.[/quote]
if its beta than don’t release it to 40k users and expect them to like it? lol[/quote]
Oh wait this 1’s even better

35 Apr 19, 2008 at 17:06 by Anonymous

[quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

36 Apr 19, 2008 at 18:16 by punk

[quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

37 Apr 19, 2008 at 18:17 by Anonymous

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

any of the 40k users that dislike it can leave. there is nothing keeping them there

38 Apr 19, 2008 at 18:49 by TheFoX

Just about all the hacks known to affect TBDev code have been covered in a special thread dealing with vulnerabilities.

My own source is not affected by the news.php bug since it encodes everything a bbtext rather than using raw HTML as originally scripted.

Also, the new batch of redir.php uses one of the free anonymity services for non local links, meaning that trying to pass javascript via the ‘URL’ global variable will have no effect.

Finally, since when has this thread been concerned with the Gazelle v TBDev competition. People are free to choose TBD, or TBsource, or Gazelle, or any other tracker script available. This thread only concerns TBDev, so those introducing Gazelle into this thread, please don’t.

39 Apr 19, 2008 at 19:14 by D3SI

always check TBDEV for updates so you won’t get hacked :)

40 Apr 19, 2008 at 19:53 by Lee

http://www.mp3plz.com

Providing over 2 million mp3s yes free and no account needed

41 Apr 19, 2008 at 20:13 by Anonymous

hahaha now since gazelle is failing so badly they are disabling users who are talking shit about it. censorship ftw? on a torrent site? irony? lulzy

42 Apr 19, 2008 at 20:33 by lolcakes

lol, they included the link to the exploit and from there you can see the exploit and learn to use it by reading the txt file on the page

http://www.rooksecurity.com/exploits/tbdev.txt

43 Apr 19, 2008 at 21:08 by Anonymous

[quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

44 Apr 19, 2008 at 21:08 by gluggen_93@hotmail.com

well it doesnt work

45 Apr 20, 2008 at 01:50 by steveballmer

It’s called reaping what you sow!

http://fakesteveballmer.blogspot.com

46 Apr 20, 2008 at 03:36 by Anonymous

lol gazelle is failing so bad they disabled user accounts who were talking shit about it. censorship ftw? on a torrent site? irony? this is all just lulzy

47 Apr 20, 2008 at 03:58 by confused

I fail to see what all this gazelle stuff has to do with the inital news topic. *sigh* A bunch of kids being silly again no doubt.

48 Apr 20, 2008 at 04:07 by Dimsdale

OMG, you call this news TF? Wait until next month when someone let you “discover” the new exploit, clueless twits. Shut down all private trackers, you hijacked p2p and have no friends anywhere, except the sheep.

49 Apr 20, 2008 at 07:53 by Slurbo

[quote comment="352346"][quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

50 Apr 20, 2008 at 09:28 by x0r

Snore. How is this news? Anyone remotely knowledgeable of tbdev (or coding at all) will just laugh at this article.

51 Apr 20, 2008 at 10:42 by tacgnol

[quote comment="353000"][quote comment="352346"][quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

52 Apr 20, 2008 at 11:44 by Anonymous

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

Nope.

Gazelle’s nice. Different, but nice.

53 Apr 20, 2008 at 16:51 by Anonymous

Old news :| any tracker that gives a fuck patched this kind of thing a long time ago.

54 Apr 21, 2008 at 01:39 by Anonymous

[quote comment="353120"][quote comment="353000"][quote comment="352346"][quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

FORMATTING ERROR DEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERSDEVELOPERS

55 Apr 21, 2008 at 14:14 by Anonymous

[quote comment="353927"][quote comment="353120"][quote comment="353000"][quote comment="352346"][quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

56 Apr 21, 2008 at 14:22 by Anonymous

[quote comment="354295"][quote comment="353927"][quote comment="353120"][quote comment="353000"][quote comment="352346"][quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

57 Apr 21, 2008 at 19:48 by Anonymous

[quote comment="354304"][quote comment="354295"][quote comment="353927"][quote comment="353120"][quote comment="353000"][quote comment="352346"][quote comment="352140"][quote comment="352041"][quote comment="351903"][quote comment="351776"][quote comment="351490"][quote comment="351276"][quote comment="351253"][quote comment="351158"][quote comment="351138"][quote comment="350812"][quote comment="350756"]or you could just install what.cd project gazelle. and get hacked in less time than it takes for tbdev[/quote]

This article wasn’t meant to be a popularity contest for Gazelle.

Hahahaha.

You’re kidding right?[/quote]
Lol, he must be joking.[/quote]
i believe it’s called trolling.[/quote]

It’s been in public beta for what, twelve hours?[/quote]
Any exploit has been fixed within a few minutes of it being found.

58 Apr 22, 2008 at 03:59 by Spanky69

How about those of us that didn’t know about this “old news” or are not “knowledgeable of tbdev (or coding)” but still find it interesting?

You lot are such arse holes.

59 Apr 23, 2008 at 20:58 by SiteOwner

As is appears, this just means we need to have a complete new code structure… get moving slackers!

60 Apr 29, 2008 at 17:46 by sonjia

You can view our demo site at http://www.dmpoint.com/FarmersDemo.
Just click the login button on the bottom right, and login using “test” as the username and “password” as the password.

61 Jun 01, 2008 at 05:40 by Anonymous

“mp3plz.com
Providing over 2 million mp3s yes free and no account needed”

It’s just a blog site & u still have to join/sign up, which means identifying info, email address, ads, tracking cookies, PC scanning, and possibly payments or worse things.

62 Jun 01, 2008 at 05:46 by Anonymous

I don’t need to worry about it as I doubt I’d ever use it. Why would anyone pay extra for free Web content?

3 references to this post

Responses are closed

All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.

TorrentFreak