14-Year Vulnerability in qBittorrent Leaves Millions Exposed to RCE Attacks
Sharp Security has unveiled a critical vulnerability that has lingered in the popular torrent client qBittorrent for over 14 years, leaving countless users exposed to potential cyberattacks. The flaw, deeply rooted in the software’s DownloadManager class, had bypassed SSL certificate validation since April 6, 2010, effectively accepting any SSL certificate regardless of its validity.
The DownloadManager class permeates numerous functions within qBittorrent, affecting core features such as search functions, .torrent downloads, RSS feeds, and even favicon downloads. Sharp Security’s report highlights the inherent risks this vulnerability introduced, as unverified SSL certificates created an open invitation for potential man-in-the-middle (MITM) attacks. In this context, attackers could intercept and alter traffic, gaining access to sensitive data or installing malicious code under the guise of legitimate downloads.
The implications of this vulnerability extend beyond SSL validation. For Windows users, qBittorrent’s mechanism to install or update Python – a dependency for its search functionality – involves downloading an executable file from a hardcoded URL. This process, historically lacking secure certificate checks, provided a pathway for attackers to replace the Python installer with malicious executables, which the client would then execute automatically upon download. Such vulnerabilities could open the door to remote code execution (RCE), allowing attackers to control user systems with minimal intervention.
Furthermore, qBittorrent’s update checker utilizes an RSS feed from a hardcoded URL, downloading XML data and prompting users to visit unverified sites to retrieve updated software. This setup has been exploited for browser hijacking and downloading compromised files that masquerade as updates, leaving users vulnerable to further exploitation.
RSS feeds represent another critical attack surface. Any URL injected into a feed – whether by malicious authors or attackers poisoning the feed – can be activated with a simple double-click. Sharp Security identified previous cases, particularly in conjunction with CVE-2019-13640, that enabled remote command execution when shell metacharacters were embedded within torrent names or tracker parameters.
A default feature in qBittorrent also downloads and decompresses a MaxMind GeoIP database from a fixed URL, adding a zero-click vulnerability. Given known buffer overflow exploits in zlib compression libraries, this function remains a critical risk, enabling attackers to target decompression errors and potentially execute arbitrary code.
With version 5.0.1 now mandating SSL certificate verification, qBittorrent users finally have a secure baseline to mitigate these longstanding vulnerabilities. Sharp Security recommends that users immediately upgrade to the latest version or consider alternative torrent clients, such as Deluge or Transmission, which do not exhibit this exploitative behavior.
Update on November 1,
This flaw now is tracked as CVE-2024-51774.
