Man
Professional
- Messages
- 3,093
- Reaction score
- 634
- Points
- 113
14-Year-Old QBittorrent Flaw
Developers have fixed a dangerous vulnerability in the popular torrent client qBittorrent that allowed attackers to carry out MITM (Man-In-The-Middle) attacks on users of the program, Bleeping Computer writes.
It is noteworthy that the code fragment containing the error leading to the vulnerability was accepted by qBittorrent developers on April 6, 2010. More than 14 years passed between then and October 28, 2024, when the flaw was closed with the release of version 5.0.1. All these years, the BitTorrent p2p file sharing tool could have been used by hackers, for example, to infect its users with malware.
It should be noted that qBittorrent developers closed the dangerous hole quietly, without warning users or publishing information about it in the database of publicly known vulnerabilities, as is customary in the software development industry.
Without checking the validity of the SSL certificate
The vulnerability discovered by Sharp Security specialists affects the DownloadManager, a qBittorrent component used by the program to solve a number of tasks related to obtaining data from the Internet. In particular, it is used to obtain search results on the Internet via the built-in engine, automatically download .torrent files, pull favicons and subscriptions from RSS. The download manager is not used to download files whose description is “packed” into a .torrent file (directly files that are exchanged by users of the torrent tracker via the BitTorrent protocol).
The main problem with qBitTorrent, built into it by its developers (possibly unintentionally), is that the torrent client download manager is ready to accept absolutely any security certificate, including one forged by an intruder, when establishing a connection to the server. Such a certificate allows its owner to interfere with the data exchange process between the torrent client and the remote server, having the ability not only to analyze the traffic, but also to modify it. Moreover, neither the server nor the client will notice the substitution in this case.
An SSL/TLS certificate verifies the authenticity of a website and allows the use of an encrypted connection between a web browser and a server. Such certificates are issued by trusted certification authorities (Certification Authority; CA). If a site does not have a valid certificate (issued by a CA, the validity period has not expired) or a certificate at all, the browser, as a rule, clearly warns the user about the danger of visiting this web resource.
As noted by Sharp Security, in the implementation of the class (in the sense of the data type in object-oriented programming languages) of the DownloadManager qBittorrent component, all SSL certificate validation errors were deliberately ignored, according to commit 9824d86 in the official repository of the project on GitHub. Probably, in 2010, the developers decided to add support for downloading via the secure version of the HTTP protocol - HTTPS - and did not bother with the implementation of filtering out connections to servers that do not have a valid SSL certificate.
How attackers could exploit the vulnerability
The qBittorrent search engine uses an interpreter of the Python programming language. If the user's operating system is Microsoft Windows, and the required version of Python is not installed, the program will offer to automatically download and run its installer from the Internet. The problem is that the installer URL is embedded directly into the torrent client source code, and thus, thanks to a fake certificate, an attacker can replace this URL with any other, including one leading to a malicious file. As a result, a user who is confident that he is installing Python will actually launch a Trojan or other type of virus on his computer.
A similar problem affects the application update mechanisms and RSS subscriptions to torrents in qBittorrent. In addition, qBittorrent periodically downloads and unpacks a compressed GeoIP database for geolocation by IP address from a source specified in the client code. Replacing the URL specified by the developers with their own allows an attacker to slip the client specially modified files and cause a memory overflow on the target machine.
Sharp Security notes that this vulnerability can be conveniently used to spy on qBittorrent users without arousing their suspicions and without using complex and expensive methods like QUANTUM.
Sharp Security recommends using alternative open-source torrent clients that do not have and have not had such vulnerabilities, such as Deluge and Transmission.
Developers have fixed a dangerous vulnerability in the popular torrent client qBittorrent that allowed attackers to carry out MITM (Man-In-The-Middle) attacks on users of the program, Bleeping Computer writes.
It is noteworthy that the code fragment containing the error leading to the vulnerability was accepted by qBittorrent developers on April 6, 2010. More than 14 years passed between then and October 28, 2024, when the flaw was closed with the release of version 5.0.1. All these years, the BitTorrent p2p file sharing tool could have been used by hackers, for example, to infect its users with malware.
It should be noted that qBittorrent developers closed the dangerous hole quietly, without warning users or publishing information about it in the database of publicly known vulnerabilities, as is customary in the software development industry.
Without checking the validity of the SSL certificate
The vulnerability discovered by Sharp Security specialists affects the DownloadManager, a qBittorrent component used by the program to solve a number of tasks related to obtaining data from the Internet. In particular, it is used to obtain search results on the Internet via the built-in engine, automatically download .torrent files, pull favicons and subscriptions from RSS. The download manager is not used to download files whose description is “packed” into a .torrent file (directly files that are exchanged by users of the torrent tracker via the BitTorrent protocol).
The main problem with qBitTorrent, built into it by its developers (possibly unintentionally), is that the torrent client download manager is ready to accept absolutely any security certificate, including one forged by an intruder, when establishing a connection to the server. Such a certificate allows its owner to interfere with the data exchange process between the torrent client and the remote server, having the ability not only to analyze the traffic, but also to modify it. Moreover, neither the server nor the client will notice the substitution in this case.
An SSL/TLS certificate verifies the authenticity of a website and allows the use of an encrypted connection between a web browser and a server. Such certificates are issued by trusted certification authorities (Certification Authority; CA). If a site does not have a valid certificate (issued by a CA, the validity period has not expired) or a certificate at all, the browser, as a rule, clearly warns the user about the danger of visiting this web resource.
As noted by Sharp Security, in the implementation of the class (in the sense of the data type in object-oriented programming languages) of the DownloadManager qBittorrent component, all SSL certificate validation errors were deliberately ignored, according to commit 9824d86 in the official repository of the project on GitHub. Probably, in 2010, the developers decided to add support for downloading via the secure version of the HTTP protocol - HTTPS - and did not bother with the implementation of filtering out connections to servers that do not have a valid SSL certificate.
How attackers could exploit the vulnerability
The qBittorrent search engine uses an interpreter of the Python programming language. If the user's operating system is Microsoft Windows, and the required version of Python is not installed, the program will offer to automatically download and run its installer from the Internet. The problem is that the installer URL is embedded directly into the torrent client source code, and thus, thanks to a fake certificate, an attacker can replace this URL with any other, including one leading to a malicious file. As a result, a user who is confident that he is installing Python will actually launch a Trojan or other type of virus on his computer.
A similar problem affects the application update mechanisms and RSS subscriptions to torrents in qBittorrent. In addition, qBittorrent periodically downloads and unpacks a compressed GeoIP database for geolocation by IP address from a source specified in the client code. Replacing the URL specified by the developers with their own allows an attacker to slip the client specially modified files and cause a memory overflow on the target machine.
Sharp Security notes that this vulnerability can be conveniently used to spy on qBittorrent users without arousing their suspicions and without using complex and expensive methods like QUANTUM.
Sharp Security recommends using alternative open-source torrent clients that do not have and have not had such vulnerabilities, such as Deluge and Transmission.
