14 DAY TRIAL // File sharing application BitTorrent Sync has been patched against a vulnerability that allowed an attacker to execute code on the machine by tricking the user into accessing a maliciously crafted link.
BitTorrent Sync has emerged as an alternative to file-sharing solutions, offering the user an easy and secure method to send large-sized files to multiple computers.
It relies on the BitTorrent peer protocol that requires both the recipient and the sender to be online at the same time for the transfer to occur.
User interaction required for successful exploitation
The glitch has been assigned the tracking number CVE-2015-2846 and a severity score of 7.5 out of 10, as per the Common Vulnerability Scoring System (CVSS).
Credited with the discovery is Italian vulnerability researcher Andrea Micalizzi, also known by the online moniker “rgod,” who has a long list of security weaknesses reported responsibly under his belt.
The flaw in BitTorrent Sync consists in passing arbitrary command line parameters through the URL with the “btsync:” protocol. Successful exploitation of the vulnerability can allow the attacker to run arbitrary code on the machine, with the permissions of the logged user.
Vulnerability was reported in late 2014
Getting a victim to click on a malicious “btsync:” link is not a difficult task, and the attacker could rely on social engineering for the job. An email with the right lure is among the easiest methods.
Once the link is loaded, the commands it includes are passed to BTSync.exe, a security advisory from Zero Day Initiative (ZDI) informs.
Micalizzi reported the vulnerability last year, on November 6, and a coordinated public disclosure was scheduled for Friday. According to ZDI, BitTorrent has issued an update that fixes the issue.
Version 2.0.93 is currently the latest one for the application, available for all supported desktop platforms (Windows, OS X, Linux, and FreeBSD).