Skip to content

Able to inject arbitrary commands when using "Run external program on torrent completion" #10925

Closed
@micapucha

Description

@micapucha

Please provide the following information

qBittorrent version and Operating System

4.1.5 FreeBSD, but seeing the source code, probably all versions

What is the problem

The function Application::runExternalProgram() located in qBittorrent/src/app/application.cpp does not sanitize the name of the torrent and other parameters before passing them as a command line arguments. Right now it does a simple text substitution, which is vulnerable to command injection.

What is the expected behavior

The parameters are sanitized before being passed to the command line. This means something like PHP's escapeshellarg.

Steps to reproduce

  1. Configure qBitTorrent to run an external script in Preferences - Downloads. Anything is valid. You can even quote the arguments. For example:
    /home/user/notify.sh "%N" "%L" %C %Z

  2. Create a new torrent with the following command:
    mktorrent -n 'Name"; firefox ; "' -o exploit.torrent SourceDir
    To test it locally with already created content, without needing to upload your torrent to a public tracker, create a directory named 'Name"; firefox ; "' (without the first and last quotes) that has the same values as the previous command's SourceDir. This will re-hash the content and mark it as completed, executing the script. You can use midnight commander to do this.

  3. When the torrent download finishes, Firefox is opened

Greetings

Metadata

Metadata

Assignees

No one assigned

    Labels

    SecurityRelated to software vulnerability in qbt (don't overuse this)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions