[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13

On 2017-03-05 07:22, Kyle Neideck wrote:
> Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
> Kyle Neideck, February 2017
> Product
> -------
> Deluge is a BitTorrent client available from http://deluge-torrent.org.
> Fix
> ---
> Fixed in the (public) source code, but not in binary releases yet. See
> http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
> and
> http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
> Install from source or use the web UI from an incognito/private window until
> new binaries are released.
> Summary
> -------
> Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web UI
> plug-in resulting in remote code execution. Requests made to the /json endpoint
> are not checked for CSRF. See the "render" function of the "JSON" class in
> deluge/ui/web/json_api.py.
> The Web UI plug-in is installed, but not enabled, by default. If the user has
> enabled the Web UI plug-in and logged into it, a malicious web page can use
> forged requests to make Deluge download and install a Deluge plug-in provided
> by the attacker. The plug-in can then execute arbitrary code as the user
> running Deluge (usually the local user account).

I requested a CVE via MITRE web form and received the following ID:

> [Suggested description]
> CSRF was discovered in the web UI in Deluge 1.3.13. The exploitation
> methodology involves (1) hosting a crafted plugin that executes an
> arbitrary program from its __init__.py file and (2) causing the
> victim to download, install, and enable this plugin.

> Use CVE-2017-7178.

Thomas Deutschmann / Gentoo Security Team
C4DD 695F A713 8F24 2AA1  5638 5849 7EE5 1D5D 74A5

Attachment: signature.asc
Description: OpenPGP digital signature

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/