Fix a weakness that allows remote code execution via the Transmission

RPC server using DNS rebinding:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1447

Patch adapted from Tavis Ormandy's patch on the Transmission master

branch to the Transmission 2.92 release by Leo Famulari

<leo@famulari.name>:

https://github.com/transmission/transmission/pull/468/commits

From fe2d3c6e75088f3d9b6040ce06da3d530358bc2f Mon Sep 17 00:00:00 2001

From: Tavis Ormandy <taviso@google.com>

Date: Thu, 11 Jan 2018 10:00:41 -0800

Subject: [PATCH] mitigate dns rebinding attacks against daemon

---

 libtransmission/quark.c        |   2 + 

 libtransmission/quark.h        |   2 + 

 libtransmission/rpc-server.c   | 116 +++++++++++++++++++++++++++++++++++++----

 libtransmission/rpc-server.h   |   4 ++

 libtransmission/session.c      |   2 + 

 libtransmission/transmission.h |   1 + 

 libtransmission/web.c          |   3 ++

 7 files changed, 121 insertions(+), 9 deletions(-)

diff --git a/libtransmission/quark.c b/libtransmission/quark.c

index 30cc2bca4..b4fd7aabd 100644

--- a/libtransmission/quark.c

+++ b/libtransmission/quark.c

@@ -289,6 +289,8 @@ static const struct tr_key_struct my_static[] =

   { "rpc-authentication-required", 27 },

   { "rpc-bind-address", 16 },

   { "rpc-enabled", 11 },

+  { "rpc-host-whitelist", 18 },

+  { "rpc-host-whitelist-enabled", 26 },

   { "rpc-password", 12 },

   { "rpc-port", 8 },

   { "rpc-url", 7 },

diff --git a/libtransmission/quark.h b/libtransmission/quark.h

index 7f5212733..17464be8f 100644

--- a/libtransmission/quark.h

+++ b/libtransmission/quark.h

@@ -291,6 +291,8 @@ enum

   TR_KEY_rpc_authentication_required,

   TR_KEY_rpc_bind_address,

   TR_KEY_rpc_enabled,

+  TR_KEY_rpc_host_whitelist,

+  TR_KEY_rpc_host_whitelist_enabled,

   TR_KEY_rpc_password,

   TR_KEY_rpc_port,

   TR_KEY_rpc_url,

diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c

index a3485f3fa..292cd5fce 100644

--- a/libtransmission/rpc-server.c

+++ b/libtransmission/rpc-server.c

@@ -52,6 +52,7 @@ struct tr_rpc_server

     bool               isEnabled;

     bool               isPasswordEnabled;

     bool               isWhitelistEnabled;

+    bool               isHostWhitelistEnabled;

     tr_port            port;

     char             * url;

     struct in_addr     bindAddress;

@@ -63,6 +64,7 @@ struct tr_rpc_server

     char             * password;

     char             * whitelistStr;

     tr_list          * whitelist;

+    tr_list          * hostWhitelist;

     char             * sessionId;

     time_t             sessionIdExpiresAt;

@@ -588,6 +590,49 @@ isAddressAllowed (const tr_rpc_server * server, const char * address)

   return false;

 }

+static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req)

+{

+    /* If password auth is enabled, any hostname is permitted. */

+    if (server->isPasswordEnabled)

+    {

+        return true;

+    }

+

+    char const* const host = evhttp_find_header(req->input_headers, "Host");

+

+    // If whitelist is disabled, no restrictions.

+    if (!server->isHostWhitelistEnabled)

+        return true;

+

+    /* No host header, invalid request. */

+    if (host == NULL)

+    {

+        return false;

+    }

+

+    /* Host header might include the port. */

+    char* const hostname = tr_strndup(host, strcspn(host, ":"));

+

+    /* localhost or ipaddress is always acceptable. */

+    if (strcmp(hostname, "localhost") == 0 || strcmp(hostname, "localhost.") == 0 || tr_addressIsIP(hostname))

+    {

+        tr_free(hostname);

+        return true;

+    }

+

+    /* Otherwise, hostname must be whitelisted. */

+    for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) {

+        if (tr_wildmat(hostname, l->data))

+        {

+            tr_free(hostname);

+            return true;

+        }

+    }

+

+    tr_free(hostname);

+    return false;

+}

+

 static bool

 test_session_id (struct tr_rpc_server * server, struct evhttp_request * req)

 {

@@ -663,6 +708,23 @@ handle_request (struct evhttp_request * req, void * arg)

           handle_upload (req, server);

         }

 #ifdef REQUIRE_SESSION_ID

+        else if (!isHostnameAllowed(server, req))

+        {

+            char* tmp = tr_strdup_printf(

+                "
Transmission received your request, but the hostname was unrecognized.
"

+                "
To fix this, choose one of the following options:"

+                "
"

+                "
Enable password authentication, then any hostname is allowed.
"

+                "
Add the hostname you want to use to the whitelist in settings.
"

+                "
"

+                "
If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.
"

+                "
This requirement has been added to help prevent "

+                "DNS Rebinding "

+                "attacks.
");

+            send_simple_response(req, 421, tmp);

+            tr_free(tmp);

+        }

+

       else if (!test_session_id (server, req))

         {

           const char * sessionId = get_current_session_id (server);

@@ -674,7 +736,7 @@ handle_request (struct evhttp_request * req, void * arg)

             "
 When you get this 409 error message, resend your request with the updated header"

             "
"

             "
This requirement has been added to help prevent "

-            "CSRF "

+            "CSRF "

             "attacks.
"

             "
%s: %s
",

             TR_RPC_SESSION_ID_HEADER, sessionId);

@@ -875,19 +937,14 @@ tr_rpcGetUrl (const tr_rpc_server * server)

   return server->url ? server->url : "";

 }

-void

-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)

+static void

+tr_rpcSetList (char const* whitelistStr, tr_list** list)

 {

   void * tmp;

   const char * walk;

-  /* keep the string */

-  tmp = server->whitelistStr;

-  server->whitelistStr = tr_strdup (whitelistStr);

-  tr_free (tmp);

-

   /* clear out the old whitelist entries */

-  while ((tmp = tr_list_pop_front (&server->whitelist)))

+  while ((tmp = tr_list_pop_front (list)) != NULL)

     tr_free (tmp);

   /* build the new whitelist entries */

@@ -896,7 +953,7 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)

       const char * delimiters = " ,;";

       const size_t len = strcspn (walk, delimiters);

       char * token = tr_strndup (walk, len);

-      tr_list_append (&server->whitelist, token);

+      tr_list_append (list, token);

       if (strcspn (token, "+-") < len)

         tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'!  Are you using an old ACL by mistake?)", token);

       else

@@ -909,6 +966,21 @@ tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr)

     }

 }

+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr)

+{

+    tr_rpcSetList(whitelistStr, &server->hostWhitelist);

+}

+

+void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr)

+{

+    /* keep the string */

+    char* const tmp = server->whitelistStr;

+    server->whitelistStr = tr_strdup(whitelistStr);

+    tr_free(tmp);

+

+    tr_rpcSetList(whitelistStr, &server->whitelist);

+}

+

 const char*

 tr_rpcGetWhitelist (const tr_rpc_server * server)

 {

@@ -930,6 +1002,11 @@ tr_rpcGetWhitelistEnabled (const tr_rpc_server * server)

   return server->isWhitelistEnabled;

 }

+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled)

+{

+    server->isHostWhitelistEnabled = isEnabled;

+}

+

 /****

 *****  PASSWORD

 ****/

@@ -1063,6 +1140,28 @@ tr_rpcInit (tr_session  * session, tr_variant * settings)

   else

     tr_rpcSetWhitelistEnabled (s, boolVal);

+  key = TR_KEY_rpc_host_whitelist_enabled;

+

+  if (!tr_variantDictFindBool(settings, key, &boolVal))

+  {

+      missing_settings_key(key);

+  }

+  else

+  {

+      tr_rpcSetHostWhitelistEnabled(s, boolVal);

+  }

+

+  key = TR_KEY_rpc_host_whitelist;

+

+  if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL)

+  {

+      missing_settings_key(key);

+  }

+  else

+  {

+      tr_rpcSetHostWhitelist(s, str);

+  }

+

   key = TR_KEY_rpc_authentication_required;

   if (!tr_variantDictFindBool (settings, key, &boolVal))

     missing_settings_key (key);

diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h

index e0302c5ea..8c9e6b24e 100644

--- a/libtransmission/rpc-server.h

+++ b/libtransmission/rpc-server.h

@@ -49,6 +49,10 @@ void            tr_rpcSetWhitelist (tr_rpc_server * server,

 const char*     tr_rpcGetWhitelist (const tr_rpc_server * server);

+void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled);

+

+void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelist);

+

 void            tr_rpcSetPassword (tr_rpc_server * server,

                                    const char *    password);

diff --git a/libtransmission/session.c b/libtransmission/session.c

index 844cadba8..58b717913 100644

--- a/libtransmission/session.c

+++ b/libtransmission/session.c

@@ -359,6 +359,8 @@ tr_sessionGetDefaultSettings (tr_variant * d)

   tr_variantDictAddStr  (d, TR_KEY_rpc_username,                    "");

   tr_variantDictAddStr  (d, TR_KEY_rpc_whitelist,                   TR_DEFAULT_RPC_WHITELIST);

   tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled,           true);

+  tr_variantDictAddStr(d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST);

+  tr_variantDictAddBool(d, TR_KEY_rpc_host_whitelist_enabled, true);

   tr_variantDictAddInt  (d, TR_KEY_rpc_port,                        atoi (TR_DEFAULT_RPC_PORT_STR));

   tr_variantDictAddStr  (d, TR_KEY_rpc_url,                         TR_DEFAULT_RPC_URL_STR);

   tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled,  true);

diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h

index 4f76adfd6..e213a8f4e 100644

--- a/libtransmission/transmission.h

+++ b/libtransmission/transmission.h

@@ -123,6 +123,7 @@ const char* tr_getDefaultDownloadDir (void);

 #define TR_DEFAULT_BIND_ADDRESS_IPV4        "0.0.0.0"

 #define TR_DEFAULT_BIND_ADDRESS_IPV6             "::"

 #define TR_DEFAULT_RPC_WHITELIST          "127.0.0.1"

+#define TR_DEFAULT_RPC_HOST_WHITELIST              ""

 #define TR_DEFAULT_RPC_PORT_STR                "9091"

 #define TR_DEFAULT_RPC_URL_STR       "/transmission/"

 #define TR_DEFAULT_PEER_PORT_STR              "51413"

diff --git a/libtransmission/web.c b/libtransmission/web.c

index ee495e9fc..c7f062730 100644

--- a/libtransmission/web.c

+++ b/libtransmission/web.c

@@ -594,6 +594,7 @@ tr_webGetResponseStr (long code)

       case 415: return "Unsupported Media Type";

       case 416: return "Requested Range Not Satisfiable";

       case 417: return "Expectation Failed";

+      case 421: return "Misdirected Request";

       case 500: return "Internal Server Error";

       case 501: return "Not Implemented";

       case 502: return "Bad Gateway";