2 枯れ果てた名無し@転載禁止 2024/11/03 (日) 09:33:28.853 ID:6QQyt4q5m
The implications of this vulnerability extend beyond SSL validation. For Windows users, qBittorrent’s mechanism to install or update Python – a dependency for its search functionality – involves downloading an executable file from a hardcoded URL.
This process, historically lacking secure certificate checks, provided a pathway for attackers to replace the Python installer with malicious executables, which the client would then execute automatically upon download.
Such vulnerabilities could open the door to remote code execution (RCE), allowing attackers to control user systems with minimal intervention.
Furthermore, qBittorrent’s update checker utilizes an RSS feed from a hardcoded URL, downloading XML data and prompting users to visit unverified sites to retrieve updated software.
This setup has been exploited for browser hijacking and downloading compromised files that masquerade as updates, leaving users vulnerable to further exploitation.
RSS feeds represent another critical attack surface.
Any URL injected into a feed – whether by malicious authors or attackers poisoning the feed – can be activated with a simple double-click.
Sharp Security identified previous cases, particularly in conjunction with CVE-2019-13640, that enabled remote command execution when shell metacharacters were embedded within torrent names or tracker parameters.
A default feature in qBittorrent also downloads and decompresses a MaxMind GeoIP database from a fixed URL, adding a zero-click vulnerability.
Given known buffer overflow exploits in zlib compression libraries, this function remains a critical risk, enabling attackers to target decompression errors and potentially execute arbitrary code.
This flaw now is tracked as CVE-2024-51774.