Vulnerability CVE-2009-1760

Vulnerability Name:

CVE-2009-1760 (CCN-51008)

Assigned:

2009-06-08

Published:

2009-06-08

Updated:

2018-10-10

Summary:

Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge Torrent, and other applications, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) and partial relative pathname in a Multiple File Mode list element in a .torrent file.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-22

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: census-2009-0002
c e n s u s : Rasterbar libtorrent arbitrary file overwrite vulnerability

Source: MISC
Type: Exploit, Patch
http://census-labs.com/news/2009/06/08/libtorrent-rasterbar/

Source: MITRE
Type: CNA
CVE-2009-1760

Source: CCN
Type: Deluge Web site
ReleaseNotes/1.1.9 Deluge

Source: CCN
Type: SA35277
Rasterbar Software libtorrent Directory Traversal Vulnerability

Source: SECUNIA
Type: Vendor Advisory
35277

Source: CCN
Type: SA35616
Deluge libtorrent Directory Traversal Vulnerability

Source: SECUNIA
Type: UNKNOWN
35848

Source: GENTOO
Type: UNKNOWN
GLSA-200907-14

Source: CCN
Type: SourceForge.net: Files
libtorrent, File Release Notes and Changelog, Release Name: libtorrent-0.14.4

Source: CONFIRM
Type: Patch
http://sourceforge.net/project/shownotes.php?group_id=79942&release_id=686456

Source: DEBIAN
Type: UNKNOWN
DSA-1815

Source: DEBIAN
Type: DSA-1815
libtorrent-rasterbar -- programming error

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2009:139

Source: CCN
Type: OSVDB ID: 55070
Rasterbar libtorrent src/torrent_info.cpp Multiple File Mode List Element Traversal Arbitrary File Overwrite

Source: BUGTRAQ
Type: UNKNOWN
20090608 Rasterbar libtorrent arbitrary file overwrite vulnerability

Source: BID
Type: Patch
35262

Source: CCN
Type: BID-35262
Rasterbar Software libtorrent Arbitrary File Overwrite Vulnerability

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-1534

Source: XF
Type: UNKNOWN
libtorrent-path-element-dir-traversal(51008)

Source: XF
Type: UNKNOWN
libtorrent-path-element-dir-traversal(51008)

Vulnerable Configuration:

Configuration 1:

cpe:/a:rasterbar_software:libtorrent:0:*:*:*:*:*:*:*

OR cpe:/a:rasterbar_software:libtorrent:0.12:*:*:*:*:*:*:*

OR cpe:/a:rasterbar_software:libtorrent:0.12.1:*:*:*:*:*:*:*

OR cpe:/a:rasterbar_software:libtorrent:*:*:*:*:*:*:*:* (Version <= 0.14.3)

Configuration CCN 1:

cpe:/a:rasterbar_software:libtorrent:0.14.3:*:*:*:*:*:*:*

OR cpe:/a:rasterbar_software:libtorrent:0.12.1:*:*:*:*:*:*:*

OR cpe:/a:rasterbar_software:libtorrent:0.12:*:*:*:*:*:*:*

AND

cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:8046	P	DSA-1815 libtorrent-rasterbar -- programming error	2014-06-23
oval:org.mitre.oval:def:13566	P	DSA-1815-1 libtorrent-rasterbar -- programming error	2014-06-23
oval:org.debian:def:1815	V	programming error	2009-06-14

BACK