Re: qBittorrent RCE, Browser Hijacking vulnerabilities

[Eli Schwartz <eschwartz () gentoo org>]

On 10/30/24 7:43 PM, Sec Guy wrote:
> The secondary impact for all platforms is the update RSS feed can be
> poisoned with malicious update URLs which the user will open in their
> browser if they accept the prompt to update. This is browser hijacking and
> arbitrary exe delivery to a user who would likely trust whatever URL this
> software sent them to.


I researched this for our tracking ticket: https://bugs.gentoo.org/942569

The update RSS feed is activated here:

https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L308C1-L316

Dialog:
https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L1628-L1682

CheckProgramUpdate:
https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L1857-L1875


Settings loader:
https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/gui/mainwindow.cpp#L1413-L1430


Prefs window:
https://github.com/qbittorrent/qBittorrent/blob/84d895231cb5b67661042deae22d14b5f386342b/src/base/preferences.cpp#L1372-L1385

All this code is conditionally compiled under the condition:

#if defined(Q_OS_WIN) || defined(Q_OS_MACOS)


So, this secondary impact is, like the first impact, only an impact on
certain platforms -- two this time, instead of just one.


-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature