qBittorrent icon indicating copy to clipboard operation
qBittorrent copied to clipboard

Published 20 hours ago verified publisher icon qbittorrent

Disallow/strip leading whitespace from command fields/config entries (used in Malware attack)

Open r0ckarong opened this issue 8 months ago • 3 comments

qBittorrent & operating system versions

qBittorrent 4.6.5 from Docker image https://github.com/linuxserver/docker-qbittorrent/releases

What is the problem?

The "Run external program" fields (and any other settings field btw.) allow whitespace to precede the entered values. This is used by malicious actors to "hide" commands from the user at first glance.

I was targeted by crypto malware when I accidentally exposed my WebUI to the web. The attacker modified the configuration to enable "Run external program on torrent finished" and added a command that would fetch and install some crypto miner. Luckily this only happened inside a Docker container for me. I noticed this because there was some odd behavior of the client and high memory usage.

I noticed some weird activity in the log though and realized that these external commands ran.

When I checked the config, I initially didn't even notice it because how often do you look at your client config after you've set it? What was supposed to be there and what looked odd?

The way they "hide" this in the UI is to pad the command string with lots of whitespace (140+) so the actual command would "disappear". The provided input box has only a limited number of chars on screen and you have to actively select and look at it to figure out there is actually something in there. The ticked checkbox wasn't even obvious as weird to me when I looked over it the first couple of times.

The config file then confirmed that there was a space padded command in there.

I would like to request the input fields (and the storage in the config file for that matter) to be reworked in such a way that they do not allow whitespace to precede commands or inputs. I can't think of any reasonable case where you would need whitespace "before" any of the settings in the config file.

Steps to reproduce

  1. Open Settings > Downloads
  2. Tick box for "Run external program on torrent finished"
  3. Hit Space 140 Times
  4. Enter some malicious crap
  5. Hit "Home" and watch your command disappear (except for in the config)

Additional context

Other people hit by this: https://www.reddit.com/r/synology/comments/1co3toi/rogue_process_eating_ram/

(Sorry I don't have the config anymore but you can reproduce this yourself easily).

r0ckarong avatar Jun 08 '24 18:06 r0ckarong