-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-5702: Mitigate dns rebinding attacks against daemon #468
Conversation
I naively adapted the patch so it applies to the 2.92 release (attached). As the CI server shows, with these changes the |
Has a CVE been assigned for this? |
I believe I've fixed the quark-test fail, the list wasn't ordered correctly. (I broke the merge, but I think it's fixed now) |
@woodsb02 No, but I've just requested one and will update when received. |
I've updated the 2.92 patch with the latest changes from @taviso. The tests do pass now. |
Just a naïve question for my own edification - this basically uses |
@smithfred Yes, correct. |
If transmission is configured such that the daemon/web server requires authorization (user ID, password) does this mitigate this attack? |
@wfiveash Yes, but be aware that it's possible to guess the credentials, so make them strong. |
@jggimi Okay, let us know if you notice any problems. Remember I described my adaptation as "naive". I only made sure the patch applies and Transmission still works. |
Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: transmission/transmission#468 (comment) MFH: 2018Q1 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html git-svn-id: svn+ssh://svn.freebsd.org/ports/head@459011 35697150-7ecd-e111-bb59-0022644237b5
Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: transmission/transmission#468 (comment) MFH: 2018Q1 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html
In my setup, the settings.json file is re-written each time transmission-daemon is started, based on the command line arguments passed to it. Can we please add new command line arguments to transmission-daemon set the rpc-host-whitelist-enabled and rpc-host-whitelist parameters? |
For further details see [1] & [2]. [1] transmission/transmission#468 [2] http://www.openwall.com/lists/oss-security/2018/01/12/1
For further details see [1] & [2]. [1] transmission/transmission#468 [2] http://www.openwall.com/lists/oss-security/2018/01/12/1 (cherry picked from commit 50f48fc)
Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: transmission/transmission#468 (comment) MFH: 2018Q1 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html git-svn-id: svn+ssh://svn.freebsd.org/ports/head@459011 35697150-7ecd-e111-bb59-0022644237b5
Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: transmission/transmission#468 (comment) MFH: 2018Q1 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html git-svn-id: svn+ssh://svn.freebsd.org/ports/head@459011 35697150-7ecd-e111-bb59-0022644237b5
cve requested at Mitre.org |
@taviso Does [enabling EDIT: Suppose so, since the credentials I logged in with are for a different origin. |
@lnicola Yep, exactly, it will be a different hostname and so credentials won't be cached. Transmission already has a CSRF protection scheme, so you can't just POST commands to the real hostname. |
Fixes CVE-2018-5702: transmission/transmission#468 Added license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2018-5702 (#468) REQUIRE authentication always. Fixes transmission/transmission#468 Fix memory leak in `tr_dhtInit` in failure condition Fixes transmission/transmission#482
Fixes CVE-2018-5702: transmission/transmission#468 Added license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6e43a52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-5702: transmission/transmission#468 Added license hash. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6e43a52) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
这需要更新html来修复还是核心? |
Tavis Ormandy from Google Project Zero reported this Vulnerability to the Transmission team and wrote up an exploit to demo it. This code is a slightly refactored version of that code. See: transmission/transmission#468 for the PR See: lock.cmpxchg8b.com/Asoquu3e.html for the original exploit page
I have used an NGinx Reverse Proxy on my server for a while now, and directly after I installed this update I could no longer visit Transmission via my domain. This is the current Nginx setup: https://hastebin.com/oyicigowuz.nginx I have tried changing proxy_pass to http://localhost:9091/transmission/web/; but that won't work at all. Please help me solve this new problem. Thank you! |
@joq3 用nginx不麻烦么。。 |
@1265578519 sorry? I don't understand? |
@joq3 你根本不用通过nginx,直接通过DNS解析你的域名,通过域名:9091访问即可。 |
@1265578519 When walking into a room with 17 people conversing in English, please speak English. |
net-p2p/transmission-daemon: Mitigate DNS rebinding attack Incorporate upstream pull request 468, proposed by Tavis Ormandy from Google Project Zero, which mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. PR: 225150 Submitted by: Tavis Ormandy Approved by: crees (maintainer) Obtained from: transmission/transmission#468 (comment) Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Add note to UPDATING for net-p2p/transmission-daemon explaining how to allow client access with the new DNS rebinding mitigations. PR: 225150 Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html net-p2p/transmission-daemon: Improve UPDATING entry and add pkg-message This will ensure users who do not read UPDATING are still presented with the message about how to allow clients to connect to the daemon using DNS when they upgrade the package. PR: 225150 Reported by: swills Security: https://www.vuxml.org/freebsd/3e5b8bd3-0c32-452f-a60e-beab7b762351.html Approved by: ports-secteam (swills)
This issue was originally reported to the private transmission security list on November 30th 2017
Transmission uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc.
Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. The daemon will only accept requests from localhost by default, but it's common to configure NAS devices to accept remote clients.
Note: I regularly encounter users who don't accept that websites can access services on localhost or their intranet. These users understand that services bound to localhost are only accessible to software running on the local machine, and that their browser is running on the local machine - but somehow believe that accessing a website "transfers" execution somewhere else. It doesn't work like that, but this is a common source of confusion.
A sample RPC session looks like this:
As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on localhost with
XMLHttpRequest()
, but the theory is they will be ignored because clients must prove they can read and set a specific header,X-Transmission-Session-Id
.Unfortunately, this design doesn't work because of an attack called "DNS rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
The attack works like this:
http://attacker.com
, which has an<iframe>
to a subdomain the attacker controls.127.0.0.1
and123.123.123.123
(an address they control) with a very low TTL.123.123.123.123
, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.I have a domain I use for testing dns rebinding called
rbndr.us
, you can use this page to generate hostnames (source code is here):https://lock.cmpxchg8b.com/rebinder.html
Here I want to alternate between
127.0.0.1
and199.241.29.227
, so I use7f000001.c7f11de3.rbndr.us
:Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).
I just wait for the cached response to expire, and then POST commands to the server.
Exploitation is simple, you could set
script-torrent-done-enabled
and run any command, or setdownload-dir
to/home/user/
and then upload a torrent for.bashrc
.Here is my (simple) demo, it's slow, but could be made very fast:
http://lock.cmpxchg8b.com/Asoquu3e.html
I've verified it works on Chrome and Firefox on Windows and Linux (I tried Fedora and Ubuntu), I expect other platforms and browsers are affected. There are screenshots of how the attack is supposed to look below.
This Pull Request mitigates this attack by requiring a host whitelist for requests that cannot be proven to be secure, but it can be disabled if a user does not want security. I think users might not be find it intuitive that servers on
localhost
or their intranet are exposed to the web, but hopefully they will read the warning.Here are some screenshots demonstrating the attack:
Before the attack begins, the Download directory is set correctly:
Here is how the exploit looks:
Here is the exploit running:
The attack succeeds:
And the result: