CVE-2018-5702
published 2018-01-15CVE-2018-5702: Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to…
PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.93%
95.6th percentile
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | transmission | < transmission 2.92-3 (bookworm) | transmission 2.92-3 (bookworm) |
| transmissionbt | transmission | <= 2.92 | — |
| transmissionbt | transmission | >= 0 < 2.92-3 | 2.92-3 |
| transmissionbt | transmission | >= 0 < 2.92-3 | 2.92-3 |
| transmissionbt | transmission | >= 0 < 2.92-3 | 2.92-3 |
| transmissionbt | transmission | >= 0 < 2.92-3 | 2.92-3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect DNS rebinding exploitation attempts by monitoring for HTTP POST requests to /transmission/rpc originating from non-localhost sources, particularly where the Host header resolves to 127.0.0.1. ↗
- →Alert on HTTP 409 Conflict responses from port 9091 containing the X-Transmission-Session-Id header, which indicates an attacker is harvesting a valid session token for subsequent RPC abuse. ↗
- →Monitor for RPC calls using 'script-torrent-done-enabled' or changes to 'download-dir' via session-set JSON RPC method, which are the primary post-exploitation actions described. ↗
- →Flag DNS queries resolving hostnames to 127.0.0.1 or other loopback addresses from external/untrusted DNS servers, especially with very low TTLs, as a DNS rebinding precursor. ↗
- →Inspect HTTP traffic on port 9091 for POST requests to /transmission/rpc containing JSON bodies with 'session-set' method and sensitive argument keys such as 'download-dir' or 'script-torrent-done-enabled'. ↗
- ·The Transmission RPC daemon only accepts requests from localhost by default, but NAS and other deployments are commonly configured to accept remote clients, significantly widening the attack surface. ↗
- ·The DNS rebinding attack requires the victim's browser to visit an attacker-controlled page and for the DNS TTL to expire; exploitation timing depends on DNS caching behavior which may vary across resolvers. ↗
- ·The exploit was tested specifically on Fedora with 'yum install transmission-daemon' and default settings, but is noted to work on any platform Transmission supports. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Transmission vulnerability
vendor_ubuntu·2018-01-16
CVE-2018-5702 Transmission vulnerability
Title: Transmission vulnerability
Summary: Transmission could be made to run arbitraty code.
It was discovered that Transmission incorrectly handled certain POST requests to
the RPC server and allowed DNS rebinding attack. An attacker could possibly use this
issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2018-5702: transmission - Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a fo...
vendor_debian·2018·CVSS 8.8
CVE-2018-5702 [HIGH] CVE-2018-5702: transmission - Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a fo...
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.
Scope: local
bookworm: resolved (fixed in 2.92-3)
bullseye: resolved (fixed in 2.92-3)
forky: resolved (fixed in 2.92-3)
sid: resolved (fixed in 2.92-3)
trixie: resolved (fixed in 2.92-3)
GHSA
GHSA-6q4w-fhcp-mhw6: Transmission through 2
ghsa_unreviewed·2022-05-13
CVE-2018-5702 [HIGH] GHSA-6q4w-fhcp-mhw6: Transmission through 2
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.
OSV
CVE-2018-5702: Transmission through 2
osv·2018-01-15·CVSS 8.8
CVE-2018-5702 [HIGH] CVE-2018-5702: Transmission through 2
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.
No detection rules found.
Exploit-DB
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting
exploitdb·2019-05-09·CVSS 6.1
CVE-2018-20485 [MEDIUM] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting
Zoho ManageEngine ADSelfService Plus 5.7 &searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1
&adscsrf=
4- Stored XSS in self-update layout implementation.
/SelfService.do?methodToCall=selfService&selectedTab=UpdateFields
Insert the following payload into Mobile Number field, and save
Payload: 11111111]";a=alert,a(31337)//
Code execute here:
/Enrollment.do?selectedTab=Enrollment
[+] Assigned CVE: CVE-2018-20484,CVE-2018-20485
[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html
Exploit-DB
Transmission - RPC DNS Rebinding
exploitdb·2018-01-11
CVE-2018-5702 Transmission - RPC DNS Rebinding
Transmission - RPC DNS Rebinding
---
The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc.
Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. By default, the daemon will only accept requests from localhost.
A sample RPC session looks like this:
```
$ curl -H 'X-Transmission-Session-Id: foo' -sI '{}' http://localhost:9091/transmission/rpc
HTTP/1.1 409 Conflict
Server: Transmission
X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H
Date: Wed, 29 Nov 2017 21:37:41 GMT
```
```
$ curl -H 'X-Transmission-Session-Id: JL641xTn2h53UsN6bVa0kJjRBLA6oX1Ayl06AJwuhHvSgE6H' -d '{"method":"session-set","arg
Bugzilla
CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack
bugzilla·2018-01-12·CVSS 8.8
CVE-2018-5702 [HIGH] CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack
CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack
A flaw was found on Transmission client/server architecture. Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. The daemon will only accept requests from localhost by default, but it's common to configure NAS devices to accept remote clients.
Transmission uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc.
As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on localhost with XMLHttpRequest(), but the theory is they will be ignored because clients must prove they can read and set a specific header, X-Transmission-S
Bugzilla
CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack [epel-all]
bugzilla·2018-01-12·CVSS 8.8
CVE-2018-5702 [HIGH] CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack [epel-all]
CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack [fedora-all]
bugzilla·2018-01-12·CVSS 8.8
CVE-2018-5702 [HIGH] CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack [fedora-all]
CVE-2018-5702 transmission: Remote code execution (RCE) in rpc session-id via dns rebinding attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
https://bugs.chromium.org/p/project-zero/issues/detail?id=1447https://github.com/transmission/transmission/pull/468https://lists.debian.org/debian-lts-announce/2018/01/msg00020.htmlhttps://security.gentoo.org/glsa/201806-07https://twitter.com/taviso/status/951526615145566208https://www.debian.org/security/2018/dsa-4087https://www.exploit-db.com/exploits/43665/https://bugs.chromium.org/p/project-zero/issues/detail?id=1447https://github.com/transmission/transmission/pull/468https://lists.debian.org/debian-lts-announce/2018/01/msg00020.htmlhttps://security.gentoo.org/glsa/201806-07https://twitter.com/taviso/status/951526615145566208https://www.debian.org/security/2018/dsa-4087https://www.exploit-db.com/exploits/43665/
2018-01-15
Published