“My passion is security, and I decided to get my hands dirty by auditing a code base. I picked Torrent Trader because it powers a website I use day to day, and the source is freely available,” Charles told us.

His efforts weren’t in vain, as Vaughn has found a significant vulnerability in the TorrentTrader Classic, which makes it possible for outsiders to see what files are traded, and by whom.

Written in PHP, TorrentTrader requires users to log in to download a torrent. At this point the IP address of the user is logged and only that IP may be used by the user to join the swarm. Charles has discovered that by exploiting a SQL injection hole in scrape.php, it is possible to get a list of all IPs in a torrent site’s database.

“It took me about a day to identify the scrape.php issue. This was done by searching through the code base for mysql calls, then backtracking any variables to see if they were used in an unsafe manner,” Vaughn said.

For the technically minded, Charles explains how the exploit works: “Scrape.php responds to scrape requests from the BitTorrent clients. It can generate two different responses. If called directly it will list all torrents and their status on the tracker. If called with a specific torrent hash, it will return the status for that torrent.”

“The problem is that TorrentTrader didn’t sanitize the input, and only checked to make sure that it was exactly 40 characters. The input was then passed directly to a database query. By putting in additional SQL in the info hash, and making sure it was 40 characters, it was possible to gain access to certain parts of the database.”

“Perhaps the biggest implication for this attack is that an outsider can view the IP addresses of who is using the tracker and which peers are sharing which files,” Vaugn concludes.

Tracker administrators can close the hole by replacing their scrape.php with the one found in the v1.08 release. Better safe than sorry.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

According to Michael Brooks, a security researcher who brought this issue to our attention, this particular TBDev exploit is down to the fact the developers didn’t protect the administrative interface from Cross Site Scripting attacks (XSS).

The attack uses CSRF in a chain with other flaws to obtain synergy – Michael calls this CSRF Bouncing.

“Unfortunately this Cross Site Scripting attack is accessible by an attacker using a Cross Site Request Forgery” Michael told TorrentFreak. “The Cross Site Scripting flaw is particularly valuable. The XSS payload is stored in the main index.php for the application. This means that an attacker can expose every visitor to their payload.”

Michael goes on: “The CSRF flaw is POST based so it does require the administrator to execute javascript. Finding the administrator account isn’t difficult if you have a user account on the system. Like with just about every SQL powered application the administrator is the first user account created. From this profile you will be able to send a personal message and you may even be able to obtain the admin’s email address.”

Worryingly, even if the attacker doesn’t have a user account, it’s possible to get one using an XSS flaw.

Michael explained how a malicious attacker increases his chances of a success with the exploit, by combining it with a little social engineering.

“In this case I am using the reflective XSS flaw to make it appear as though the administrator is viewing his own web application. The social engineering attack could look something like this: ‘I think there is a bug in your site. Can you check this link, it just does not look right http://localhost/redir.php?url=’ . This now means the flaw is no longer a “Cross Site” Request Forgery, because the request is being sent from the same website.”

After a successful attack it’s possible to deface the site and “hijack every user’s authentication token indefinitely”.

So what can be done to avoid this exploit? Michael told TorrentFreak:

“The most important thing to keep in mind is do not click on links that look like this. The link can be easily modified to be shorter, but the important part is avoiding links to TBDev’s /redir.php.”

“However this isn’t the only way that the flaw can be exploited. If you visit a website that the hacker controls then he can also trigger the attack. If you think you might have clicked on a bad link, change your password immediately.”

So what should an admin do if they already fell victim to the exploit?

“To remove the persistent XSS payload the administrator might have to login to the SQL server manually and delete the offending entry in the “news” table (since they won’t be able to use the web application to delete the news posting) using DELETE FROM news WHERE body LIKE ‘%fromCharCode%’.

The difficult part is that every user will have to change their password. In PHP I suggest defending against XSS using htmlspecialchars($var,ENT_QUOTES); . There are cases where XSS can still be possible without ENT_QUOTES. To defend against CSRF i suggest using PHP CSRF Guard.”

An administrator on a TBDev tracker we spoke with suggested a very quick fix off the top of his head:

in news.php change

$body = $_POST["body"];

to

$body = htmlspecialchars($_POST["body"],ENT_QUOTES);

We put this to Michael who told us: “The fix isn’t bad however the same fix also needs to be applied to $_GET["url"] in redir.php or the administrator account as well as others are subjected to hijack. There are other security problems with this application, but the XSS is the most serious as it leads to immediate attack.”

Earlier today TorrentFreak contacted a number of admins with details of the exploit. Michael tells us he has notified the relevant people of the flaw but it may take a few days until an official patch is made available.

The full details of the exploit are available here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

uTorrent is vulnerable to remote exploits (example) if the announce field of the .torrent file exceeds 4800 Bytes. This causes a buffer-overflow, and allow hackers to run their exploits. Note that these announce fields are normally smaller, so you have to be tricked into downloading a malicious torrent first.

The exploit is found in uTorrent 1.6 (build 474), but might affect older versions as well. It is reported that the exploit works on Windows 2000, and both Windows XP Service Pack 1 and 2.

The good news is that these exploits are only triggered by .torrent files that are designed to exploit uTorrent. This means that people are relatively safe if they watch out where they download their torrents from.

Update: This vulnerability has been fixed in the latest beta.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.