Security researcher Charles Vaughn graduated with a software engineering degree from University of Texas at Arlington, and he now ‘pays his bills’ with general Unix application server stuff. Recently, Vaughn decided to take a look at the frequently used BitTorrent tracker TorrentTrader.
“My passion is security, and I decided to get my hands dirty by auditing a code base. I picked Torrent Trader because it powers a website I use day to day, and the source is freely available,” Charles told us.
His efforts weren’t in vain, as Vaughn has found a significant vulnerability in the TorrentTrader Classic, which makes it possible for outsiders to see what files are traded, and by whom.
Written in PHP, TorrentTrader requires users to log in to download a torrent. At this point the IP address of the user is logged and only that IP may be used by the user to join the swarm. Charles has discovered that by exploiting a SQL injection hole in scrape.php, it is possible to get a list of all IPs in a torrent site’s database.
“It took me about a day to identify the scrape.php issue. This was done by searching through the code base for mysql calls, then backtracking any variables to see if they were used in an unsafe manner,” Vaughn said.
For the technically minded, Charles explains how the exploit works: “Scrape.php responds to scrape requests from the BitTorrent clients. It can generate two different responses. If called directly it will list all torrents and their status on the tracker. If called with a specific torrent hash, it will return the status for that torrent.”
“The problem is that TorrentTrader didn’t sanitize the input, and only checked to make sure that it was exactly 40 characters. The input was then passed directly to a database query. By putting in additional SQL in the info hash, and making sure it was 40 characters, it was possible to gain access to certain parts of the database.”
“Perhaps the biggest implication for this attack is that an outsider can view the IP addresses of who is using the tracker and which peers are sharing which files,” Vaugn concludes.
Tracker administrators can close the hole by replacing their scrape.php with the one found in the v1.08 release. Better safe than sorry.