TorrentTrader Classic Vulnerable to IP Authorization Bypass
Written by enigmax on June 08, 2008A security researcher has found a vulnerability in the TorrentTrader tracker software which can be exploited to leak the contents of a site’s IP database. This database can then be used to gain unauthorized access to a site’s tracker. The vendor has been informed and a fix is available.
Security researcher Charles Vaughn graduated with a software engineering degree from University of Texas at Arlington, and he now ‘pays his bills’ with general Unix application server stuff. Recently, Vaughn decided to take a look at the frequently used BitTorrent tracker TorrentTrader.
“My passion is security, and I decided to get my hands dirty by auditing a code base. I picked Torrent Trader because it powers a website I use day to day, and the source is freely available,” Charles told us.
His efforts weren’t in vain, as Vaughn has found a significant vulnerability in the TorrentTrader Classic, which makes it possible for outsiders to see what files are traded, and by whom.
Written in PHP, TorrentTrader requires users to log in to download a torrent. At this point the IP address of the user is logged and only that IP may be used by the user to join the swarm. Charles has discovered that by exploiting a SQL injection hole in scrape.php, it is possible to get a list of all IPs in a torrent site’s database.
“It took me about a day to identify the scrape.php issue. This was done by searching through the code base for mysql calls, then backtracking any variables to see if they were used in an unsafe manner,” Vaughn said.
For the technically minded, Charles explains how the exploit works: “Scrape.php responds to scrape requests from the BitTorrent clients. It can generate two different responses. If called directly it will list all torrents and their status on the tracker. If called with a specific torrent hash, it will return the status for that torrent.”
“The problem is that TorrentTrader didn’t sanitize the input, and only checked to make sure that it was exactly 40 characters. The input was then passed directly to a database query. By putting in additional SQL in the info hash, and making sure it was 40 characters, it was possible to gain access to certain parts of the database.”
“Perhaps the biggest implication for this attack is that an outsider can view the IP addresses of who is using the tracker and which peers are sharing which files,” Vaugn concludes.
Tracker administrators can close the hole by replacing their scrape.php with the one found in the v1.08 release. Better safe than sorry.
Previously: Artist Releases Album Exclusively on Demonoid
Next: Most Popular DVDrips on BitTorrent (wk23)
11 Responses
First! Uiiiiii I’m so happy, now I can kill myself
mr. s you better kill yourself.
sunday is a slow news day but newsoftheweird.com posts new funny news on sundays so :D
So the issue is fixed in the latest release, thanks for providing everyone with a warning who may use this tracker. :)
none the less… please do shoot yourself :p
Wish there was some more exciting news like Cary Sherman shot himself by accident and will now have to live his life without his willy…
Cheers!
http://www.ezee.se/ copyright is copywrong
v1.08 was released on May 13… you might wanna pick up the pace ‘E’.
Is TT a good tracker anyway?
Diferior sounds good to me!
No serious tracker users TorrentTrader.
If they do they cannot code and have no right attempting to setup a tracker in the first place.
I’m glad that we have reliable people like him to keep our bittorrent networks safe.
actually u can do much more than just get ips with this attack :P
u can get anything u want from any table and as such login as anyone u want, get all email addresses, read any/all pm’s etc etc.
TorrentTrader sucks anyhow so it doesnt matter much.. very few sites use it and most of these are not even worth the time it takes to signup to them :P (inmo at least)
I use TTL, the non-database version, for hosting legal torrents, projects, etc.
Not because I can’t code, I’m a novice coder, it’s just because it’s lightweight, fast, and fairly easy to modify.
@7: It’s not size, it’s quantity, having the options to choose from more than just one tracker, maybe it’s not as scalable as other trackers, but it’s more work than I’m assuming you’ve ever done. Stop being so negative.
Anyway, my TTL tracker is @ http://please.dontassrape.us
@10
Ive actually setup many traders and they allways suggested torrenttrader.I tried it once for the client
Then deleted it off their server and started coding tbits source to what they wanted.Took them serveral days to do what i did in a day with tbits when they used torrenttrader
Plus the “real” trackers and coders(mostly the best private trackers alive) use tbdev and thus you have a plethora of support from people who you probably have seen their coding on trackers,not to mention they know their shit and are willing to help people out when they are stuck.
Anyway have fun getting ass raped on torrenttrader
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.