BitErrant attack

The BitErrant attack is a fun little exploit that shows what can go wrong in the BitTorrent protocol when SHA1 collisions become reality. SHA1 collisions resulting in chunks of the downloaded file become replaceable with a chunk that is completely different, corrupting the downloaded file OR triggering backdoor functionalities. An attacker can alter the execution path of the executable by serving altered chunks when the victim is downloading the executable using the BitTorrent protocol. Thank you good folks at Google and CWI for making SHA1 collision become a reality with the SHAttered attack!

BitErrant 攻击 BitErrant攻击是一个有趣的漏洞,它证明了当SHA1碰撞攻击成为可能时BitTorrent协议可能会出错。SHA1碰撞攻击导致下载的文件数据块(chunk)可能被完全不同的数据块替换,损坏下载的文件或者触发后门功能。



Proof-of-concept 概念验证

Here are two EXE files with different functionality (evil has a meterpreter that will listen on all interfaces), but yielding the same .torrent file. Password: SHA1: eed49a31e0a605464b41df46fbca189dcc620fc5 (ya know, because what can go wrong?) Also, here is a sophisticated (LOL) framework on how to generate such executables. Proof that most AV software are a piece of crap: Good file on virustotal Evil file on virustotal

这里有两个具有不同功能的EXE文件(恶意文件有一个meterpreter将会监听所有网络接口),但是产生相同的.torrent文件。 密码 SHA1: eed49a31e0a605464b41df46fbca189dcc620fc5 (你知道,因为什么原因它会出错) 此外,这里有一个复杂的(LOL)框架,关于如何生成这样的可执行文件。

事实证明大多数杀毒软件都是胡说八道: 正常文件在virustotal 恶意文件在virustotal

How BitTorrent works (oversimplified explanation) BitTorrent工作原理


The first step to distribute a file over BitTorrent is to generate a ".torrent" file from the original file (DATA). This is done by slicing the file into fix sized chunks then calculating SHA1 hash on each of the chunks. The hash bytes are then concatenated together and stored under the torrent file's "pieces" dictionary key.

When someone tries to download the DATA file using BitTorrent, first the "DATA.torrent" file needs to be downloaded and parsed. Based on the information stored in the DATA.torrent file, the client searches for peers and downloads chunks of the original file (DATA). In order to make sure rouge peers will not be sending malicious data, the client verifies each downloaded chunk against the hash data stored in the DATA.torrent file. If the hash data in the torrent file doesn't match the SHA1 hash of the downloaded chunk, then the bad chunk gets discarded.




The malicious intent 恶意文件的意图


An attacker can create an executable file which when executed looks harmless, but will change its execution path based on what data is inside the SHATTER region. Of course when checked with AntiVirus software the file will look okay as the malicious code is hidden in an encrypted blob, and will never get executed. Right?

Well, not quite. If the attacker has two chunk sized blob of data with matching SHA1 hash -looking at you SHAttered- and taking some constraints into account, generating two executables with different data but yielding the same .torrent file is possible!





If the previously mentioned constraints are fulfilled, the two executables now have one chunk of data which is interchangeable. The attacker can replace this chunk to trigger the malicious functionality in the code.

One example on how the shellcode can be executed (or not) based on which chunk has been retrieved over the BitTorrent protocol.

The principle is that the decryption yields garbage when the incorrect SHATTER data is used. For example, shatter-2.pdf collision data is used for encryption, shatter-1.pdf data is used for distribution. During the download the attacker starts seeding his file where the shatter-2.pdf data is used, effectively replacing that one chunk thus triggering the decrpyion and execution of the shellcode in clients who were uncluky enough to download that specific chunk from the attacker.




原理是,当使用不正确的SHATTER数据,解密会产生垃圾数据。例如,shatter-2.pdf 碰撞数据被用来加密,shatter-1.pdf数据被用来分发。在下载过程中,攻击者开始把使用shatter-2.pdf数据的文件做种,从而有效的替换那个数据块,这样对于那些非常不幸从攻击者下载了特定数据块的用户,将会触发shellcode的解密与执行。


Is this something serious? NO. at least not right now. I might reevaluate this statement when this gets used in the wild. How can I protect myself? Always cross-check the MD4 MD5 SHA1 SHA256 hash of the downloaded file. Good luck finding torrent sites that publish such hashes :) There is an option when generating torrent files to include the MD5 hash of the full datafile in the generated torrent file. Most of the time it's not used, not even sure if all torrent clients respect it.

这个事情严重吗? 不严重,至少现在不严重。我可能会评估这个报告当这种方式被使用时。

我如何保护自己? 始终交叉检查下载文件的MD4 MD5 SHA1 SHA256哈希值。 祝你找到发布哈希值的torrent网站。 这里还有一个选择,当生成torrent文件时,在生成的torrent文件中包含完整数据文件的MD5值。大多数时候它没有被使用,甚至不确定是不是所有torrent客户端会检查它。

  1. 1. BitErrant attack
    1. 1.1. Proof-of-concept 概念验证
    2. 1.2. How BitTorrent works (oversimplified explanation) BitTorrent工作原理
    3. 1.3. The malicious intent 恶意文件的意图
    4. 1.4. FAQ