'libtorrent' is an open-source C++ bittorrent library by Rasterbar Software that is used in many desktop applications and embedded devices. Popular BitTorrent clients that use this library are 'firetorrent', 'qBittorrent' and 'deluge Torrent'. For a more comprehensive list of libtorrent-based applications, see [1]. I have discovered an 'arbitrary file overwrite' vulnerability in libtorrent that allows an attacker to create and modify arbitrary files (and directories) with the effective rights of the user executing the vulnerable libtorrent-based application. libtorrent (up to and including version 0.14.3) employs an insufficient path sanitization method that allows the formulation of relative paths from the path elements found in .torrent files. Specifically, this applies to .torrent files that describe multiple files (see "Multiple File Mode" [2]). An adversary could use such relative paths, in a specially crafted .torrent file, to replace or create files in vulnerable systems. See [3] for more information regarding the nature of this vulnerability. The maintainer of libtorrent has been contacted and a new version (0.14.4) of the library that fixes this issue has been released [4],[5]. All affected parties are advised to upgrade to the latest release. The Common Vulnerabilities and Exposures (CVE) project has assigned the candidate name CVE-2009-1760 to this issue. Vendor notification date: May 27th, 2009 Vendor acknowledgement date: May 28th, 2009 Vendor bugfix release date: June 1st, 2009 Public disclosure date: June 8th, 2009 With kind regards, Dimitris Glynos -- http://census-labs.com / IT security research, development and services [1] http://www.rasterbar.com/products/libtorrent/projects.html [2] http://wiki.theory.org/BitTorrentSpecification#Info_in_Multiple_File_Mode [3] http://census-labs.com/news/2009/06/08/libtorrent-rasterbar [4] http://sf.net/project/shownotes.php?group_id=79942&release_id=686456 [5] http://sf.net/project/showfiles.php?group_id=79942
