1 枯れ果てた名無し@転載禁止 (f032c852) 2024/11/03 (日) 09:31:46.680 ID:6QQyt4q5m
Sharp Security has unveiled a critical vulnerability that has lingered in the popular torrent client qBittorrent for over 14 years, leaving countless users exposed to potential cyberattacks.
The flaw, deeply rooted in the software’s DownloadManager class, had bypassed SSL certificate validation since April 6, 2010, effectively accepting any SSL certificate regardless of its validity.
The DownloadManager class permeates numerous functions within qBittorrent, affecting core features such as search functions, .torrent downloads, RSS feeds, and even favicon downloads.
Sharp Security’s report highlights the inherent risks this vulnerability introduced, as unverified SSL certificates created an open invitation for potential man-in-the-middle (MITM) attacks. In this context, attackers could intercept and alter traffic, gaining access to sensitive data or installing malicious code under the guise of legitimate downloads.
https://securityonline.info/14-year-vulnerability-in-qbittorrent-leaves-millions-exposed-to-rce-attacks/
2 枯れ果てた名無し@転載禁止 2024/11/03 (日) 09:33:28.853 ID:6QQyt4q5m
The implications of this vulnerability extend beyond SSL validation. For Windows users, qBittorrent’s mechanism to install or update Python – a dependency for its search functionality – involves downloading an executable file from a hardcoded URL.
This process, historically lacking secure certificate checks, provided a pathway for attackers to replace the Python installer with malicious executables, which the client would then execute automatically upon download.
Such vulnerabilities could open the door to remote code execution (RCE), allowing attackers to control user systems with minimal intervention.
Furthermore, qBittorrent’s update checker utilizes an RSS feed from a hardcoded URL, downloading XML data and prompting users to visit unverified sites to retrieve updated software.
This setup has been exploited for browser hijacking and downloading compromised files that masquerade as updates, leaving users vulnerable to further exploitation.
RSS feeds represent another critical attack surface.
Any URL injected into a feed – whether by malicious authors or attackers poisoning the feed – can be activated with a simple double-click.
Sharp Security identified previous cases, particularly in conjunction with CVE-2019-13640, that enabled remote command execution when shell metacharacters were embedded within torrent names or tracker parameters.
A default feature in qBittorrent also downloads and decompresses a MaxMind GeoIP database from a fixed URL, adding a zero-click vulnerability.
Given known buffer overflow exploits in zlib compression libraries, this function remains a critical risk, enabling attackers to target decompression errors and potentially execute arbitrary code.
This flaw now is tracked as CVE-2024-51774.
3 枯れ果てた名無し@転載禁止 2024/11/03 (日) 09:36:19.418 ID:6QQyt4q5m
興味深いのはこれが恐らく当初意図した設計であるということ
Ignoring SSL errors was introduced ~14 years ago with commit 9824d86
I presume that it was a quick'n'dirty way to get SSL going which persisted to this day. It's also possible that back in the day Qt4 (?) didn't support autoloading ca root certificates from the OS's store.
Don't ignore SSL errors #21364
https://github.com/qbittorrent/qBittorrent/pull/21364
RCE Vulnerability in QBittorrent
https://sharpsec.run/rce-vulnerability-in-qbittorrent/