cbcvebase.
CVE-2018-5702
published 2018-01-15

CVE-2018-5702: Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.93%
95.6th percentile
Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiantransmission< transmission 2.92-3 (bookworm)transmission 2.92-3 (bookworm)
transmissionbttransmission<= 2.92
transmissionbttransmission>= 0 < 2.92-32.92-3
transmissionbttransmission>= 0 < 2.92-32.92-3
transmissionbttransmission>= 0 < 2.92-32.92-3
transmissionbttransmission>= 0 < 2.92-32.92-3

Detection & IOCsextracted from sources · hover to see the quote

url/transmission/rpc
port9091
domain7f000001.c7f11de3.rbndr.us
cookieX-Transmission-Session-Id
command{"method":"session-set","arguments":{"download-dir":"/home/user"}}
  • Detect DNS rebinding exploitation attempts by monitoring for HTTP POST requests to /transmission/rpc originating from non-localhost sources, particularly where the Host header resolves to 127.0.0.1.
  • Alert on HTTP 409 Conflict responses from port 9091 containing the X-Transmission-Session-Id header, which indicates an attacker is harvesting a valid session token for subsequent RPC abuse.
  • Monitor for RPC calls using 'script-torrent-done-enabled' or changes to 'download-dir' via session-set JSON RPC method, which are the primary post-exploitation actions described.
  • Flag DNS queries resolving hostnames to 127.0.0.1 or other loopback addresses from external/untrusted DNS servers, especially with very low TTLs, as a DNS rebinding precursor.
  • Inspect HTTP traffic on port 9091 for POST requests to /transmission/rpc containing JSON bodies with 'session-set' method and sensitive argument keys such as 'download-dir' or 'script-torrent-done-enabled'.
  • ·The Transmission RPC daemon only accepts requests from localhost by default, but NAS and other deployments are commonly configured to accept remote clients, significantly widening the attack surface.
  • ·The DNS rebinding attack requires the victim's browser to visit an attacker-controlled page and for the DNS TTL to expire; exploitation timing depends on DNS caching behavior which may vary across resolvers.
  • ·The exploit was tested specifically on Fedora with 'yum install transmission-daemon' and default settings, but is noted to work on any platform Transmission supports.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.