[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13

To: Kyle Neideck <kyle@xxxxxxxxxxxxxxxxx>, fulldisclosure@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
From: Thomas Deutschmann <whissi@xxxxxxxxxx>
Date: Sun, 19 Mar 2017 03:48:48 +0100

On 2017-03-05 07:22, Kyle Neideck wrote:
> Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
> 
> Kyle Neideck, February 2017
> 
> 
> Product
> -------
> 
> Deluge is a BitTorrent client available from http://deluge-torrent.org.
> 
> Fix
> ---
> 
> Fixed in the (public) source code, but not in binary releases yet. See
> http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
> and
> http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
> 
> Install from source or use the web UI from an incognito/private window until
> new binaries are released.
> 
> Summary
> -------
> 
> Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web 
> UI
> plug-in resulting in remote code execution. Requests made to the /json 
> endpoint
> are not checked for CSRF. See the "render" function of the "JSON" class in
> deluge/ui/web/json_api.py.
> 
> The Web UI plug-in is installed, but not enabled, by default. If the user has
> enabled the Web UI plug-in and logged into it, a malicious web page can use
> forged requests to make Deluge download and install a Deluge plug-in provided
> by the attacker. The plug-in can then execute arbitrary code as the user
> running Deluge (usually the local user account).

I requested a CVE via MITRE web form and received the following ID:

> [Suggested description]
> CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation
> methodology involves (1) hosting a crafted plugin that executes an
> arbitrary program from its __init__.py file and (2) causing the
> victim to download, install, and enable this plugin.

> Use CVE-2017-7178.


-- 
Regards,
Thomas Deutschmann / Gentoo Security Team
C4DD 695F A713 8F24 2AA1  5638 5849 7EE5 1D5D 74A5

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
  - From: Kyle Neideck

Prev by Date: Re: [FD] SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products
Next by Date: [FD] Adium vulnerable to remote code execution via libpurple
Previous by thread: [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
Next by thread: [FD] 0-Day: Dahua backdoor Generation 2 and 3
Index(es):
- Date
- Thread