Monday, April 21st, 2008

CSRF pwns your box?!?!

Before going talking about an interesting set of CSRF vulnerabilities that were released this weekend, I did want to take a few moments to do some “housekeeping” on the recent spreadsheets.google.com XSS.  (1) I gave the Google Security Team the details for this particular issue well before talking about it on my blog.  (2) The described issue was fixed by the GST before I even considered publically speaking about the vuln.  (3)  Part of the vulnerability involved a caching flaw in Google’s servers, this issue is specific to Google and it was also fixed…   OK, on to the good stuff…
         
         
A few weeks ago, Rob Carter told me about a few interesting CSRF vulnerabilities that he discovered in a uTorrent plugin (he publicly disclosed them this weekend).  Rob was able to chain together the CSRF vulnerabilities and the net result is complete compromise of the victim’s machine!  I think this may be the first PURE CSRF vulnerability that I’ve seen that resulted in compromise of a victims machine (there is an argument amongst some of my colleagues as to whether protocol handling/URI vulnerabilities are actually a form of CSRF, but that’s another story).  The series of vulnerabilities basically follow this flow:
         
When a user installs the uTorrent Web UI plugin. the plugin essentially starts a locally running web server on your machine (in order to serve the Web UI).  Rob targets the CSRF vulnerabilities associated with this locally running web server.

  • Rob uses a first CSRF to turn on the “Move completed downloads” option on the uTorrent Web UI.  The CSRF looks something like this:
    http://localhost:14774/gui/?action=setsetting&s=dir_completed_download_flag&v=1

         

         
         

                   

Once the file is placed, the next time the user restarts their machine, the attacker controlled file will be run…  there you have it… compromise of a victim’s system through three CSRFs!  Scary stuff… you can read more about the issue on Robs Blog <robs blog>.

Posted by xssniper | Filed in Security, Web Application Security


5 Responses to “CSRF pwns your box?!?!”

  1. April 21st, 2008 at 4:02 pm

    pbnetworks » Blog Archive » Computer takeover via cross site request forgery said:

    [...] expert Billy Rios has reported a vulnerability that Rob Carter discovered in the Web UI of the popular µTorrent [...]

  2. April 22nd, 2008 at 8:59 am

    Austoon Daily » CSRF pwns your box?!?! said:

    [...] CSRF pwns your box?!?! [...]

  3. April 24th, 2008 at 6:52 am

    Sad panda said:

    but it does require admin rights to write to %allusersprofile%, and who would run p2p apps as admin?

  4. April 24th, 2008 at 7:30 am

    Awesome AnDrEw said:

    Beautifully orchestrated example of how Cross-Site Request Forgeries are often more useful than Cross-Site Scripting alone. This was a very clever method for manipulating the client, and possibly gaining persistent access to the victim’s computer. This demonstration, and the one to snare GMail accounts, have really impressed me and should cause developers to realize why these issues are so important. On a side note: uTorrent sucks.

  5. June 9th, 2008 at 11:59 am

    UTorrent + CSRF = STALLOWN3D!1 | www.WannaHack.com said:

    [...] related article can be found at http://xs-sniper.com/blog/2008/04/21/csrf-pwns-your-box/  Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]



Please leave a Comment