Recently, Transmission BitTorrent client exists a vulnerability, CVE-2018-5702, hackers can exploit the vulnerability to take control of the victim computer. All versions of the Transmission BitTorrent client are affected. This vulnerability was found by Google Project Zero researcher Tavis Ormandy.

Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux and believes that other browsers and platforms are also vulnerable to the attack.

Transmission BitTorrent app is a server-client architecture and the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc.

Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. The daemon will only accept requests from localhost by default, but it’s common to configure NAS devices to accept remote clients.

The proof-of-concept is below

  1. A user visithttp://attacker.com, which has an  to a subdomain the attacker controls.
  2. The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123(an address they control) with a very low TTL.
  3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire (or force it to expire by flooding the cache with lookups), then they have permission to read and set headers.

Reference: Github