Security Vulnerability Report - qBittorrent UI Lock - Authentication Bypass

[bayinmin]

Hi qBittorrent team,

I would like to report security vulnerability concerning qBittorrent product.

Description

qBittorrent UI Lock functionality was vulnerable to authentication bypass. From the assessment of the product, it was noted that UI Lock screen functionality is supposed to protect unauthorised access to qBittorrent product features/functionality. The affected version of the product did not enforce robust authentication mechanism, thus UI Lock can be bypassed by tampering a flag in the client side configuration file.

Impact

From the assessment of the product, it was noted that UI Lock functionality is supposed to protect unauthorised access to qBittorrent product features/functionality. However, broken authentication mechanism may lead to unauthorised user accessing available functions of the product unauthorised manner.

Steps

1. Launch qbittorrent.exe

2. Click lock icon lock qBittorrent on upper right hand corner and input appropriate password

3. After successfully inputing the password, verify that the software asked for password when clicked through system tray icon or from exe file

4. To bypass this password prompt, bring up Window Task Manager and kill the qbittorrent.exe process

5. Go to Run and type %appdata%. The window explorer will be launched

6. Go inside qBittorrent folder within C:\Users\<username>\Roaming

7. Open qBittorrent configuration text file and locate locked attribute within Locking stanza

8. Change the value of locked attribute to false

9. Relaunch the qbittorrent.exe. Now, the UI Lock authentication is bypassed and the application will be launched without password prompt.


Affected Product

qBittorrent v3.3.15 for window


Risk Rating (CVSS 2)

Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Ref:https://medium.com/@BaYinMin/cve-2017-1 ... 959ff55ada

[Tilt3782]

Why was this never addressed? I am aware that this is actually the official "forgot my password" method, but it seems odd to offer a password protected UI lock if it has an official and widely known bypass. I don't think it would be unreasonable to design the lock in a way that if you forgot your password, you are SOL, as long as it had proper warnings and stop-guards before enabling the lock. Some sort of recovery key implementation would also make sense and doesn't sound difficult to implement - correct me if I am wrong.