uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,
uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.
Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.
So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)
Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.
The bug in detail (from Luigi’s site):
By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.
In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).
When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.
If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.
For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
It can be downloaded here.
Previously: The Pirate Bay: Demonoid is Welcome in Sweden
Next: Director of ‘The Nines’ Talks to TorrentFreak About Piracy
121 Responses (Add yours or TrackBack)
Pages: [1] 2 3 4 5 » Show All
everybody uninstall utorrent!
[quote comment="265678"]everybody uninstall utorrent![/quote]
why ??? there is a fix now :)
Is there any good alternatives to uTorrent? I still use 1.6. Azureus is the one most say to use but I found it to have a shitty UI and be a resource hog.
A normal crash bug? Is that what they are calling a vulnerability these days?
These “security experts” are getting desperate. Hyping a normal crash bug to make it sound like it is an actual security vulnerability.
[quote comment="265687"]A normal crash bug? Is that what they are calling a vulnerability these days?
These “security experts” are getting desperate. Hyping a normal crash bug to make it sound like it is an actual security vulnerability.[/quote]
they call that crash bug “security vulnerability” cause the attacker can crash uTorrent almost non-stop :P
Fban, the alternatives are bitcomet, halite, and torrent swapper.
Bitcomet is full of ads and cheats the system, but it works ok.
Halite is extremely minimalistic. It lacks some important features
Torrent swapper lacks DHT and encryption, and it’s kind of unstable.
Also, a lot of download managers support the basics of bittorrent.
I use Azureus, but my second choice would probably be halite.
rtorrent ^^
[quote comment="265686"]Is there any good alternatives to uTorrent? I still use 1.6. Azureus is the one most say to use but I found it to have a shitty UI and be a resource hog.[/quote]
utorrent has a great UI and uses very little resources. What’s the problem?
theymos, and then there is µTorrent, still the very best client of them all.
uTorrent is closed source, thats the problem.
rTorrent can do everything uTorrent can, with even less resources, and has better webinterfaces.
I don’t get it, so the ‘attacker’ shuts utorrent, maybe even permanently or continuously… big whoop!
Can they use the flaw to steal your money or your identity? Can they fry your pc?
If that’s the case then I’m changing right now, but if not, what’s the big deal? I don’t know anything about this stuff…
wtf yesterday night i had hard time getting 1 of my torrent uploaded (wouldnt connect even thou 10-18 peers were trying to download it)
and later on i did something and my uttorent crashed and it asked me if i wanted to reload utorrent or close it.
after reloading all the torrents needed to be rechecked if it was there.
Strange shit
http://en.wikipedia.org/wiki/Comparison_of_BitTorrent_software
Azureus is a joke. µTorrent 4 life.
Conspiracy Theory 101
This is probably a ploy, whether true threat or not, to make you upgrade so they can moniter you even more with the newer version.
I use 1.6.x because it’s the last version released before uTorrent was purchased.
Whether my theory is correct or not. I smell something fishy and I won’t be upgrading my uTorrent.
Just my 2 cents.
Well I have to say your 2 cents doesnt make too much sense, they arent MAKING you upgrade, you really dont understand this whole concept.
utorrent is a free program and they dont give a shit if you use the latest or not, they have found it to have a what I would call a BUG, since I dont see it as security issue but I guess technically it is. So they patch it and continue to build on there very good program. It the same as thousands of very good programs like Firefox. You can use version 1.0 if you can find it, but that would be your dumb ass decision.
Being closed or open has no bearing on the fact that Utorrent is the best client for most people. Smallest footprint, totally portable, webUI (think it’s still in beta) DHT, encryption, rss.
There’s no reason not to use utorrent really, unless you are completely happy with your current client.
This is a small bug, nothing to be worried about, and it’s hardly opening you to DoS, as it’s merely crashing your BTclient, which you can easily fix.
@TheOneX,
that’s exactly what happenes when your torrent client crashes. Since it didn’t properly exit, it has to rehash the file when it restarts. This is the main reason bittorrent doesn’t suck is because of that built in hash check, your download can not get corrupted, as the client checks your data against the hash and redownloads anything that might not fit.
This is why if you crash with downloads going, utorrent will ‘check’ the files you had going, and depending on file size and number of downloads, this can take awhile. You can technically force it not to check the has, but this is bad as you’ll end up seeding corrupted pieces to other clients.
They’ll recieve a warning along the lines of ‘Piece failed hash check redownloading.’
Your crash had nothing to do with this bug.
@blank
rofl
1.6.1 is released by BitTorrent Inc.
1.6 is the last version by Ludde…
But then again as you said you are purely going by your sense of smell which obviously has nothing to do with the internet… you actually have no freaking clue what you are talking about, do you? Wireshark is probably only a combination of two normal words for you right?
If you want any prove that the µTorrent developers care AND that a closed source project DOES have its advantages this problem was fixed within a day. And the last serious issue (Misreporting >4GB torrent stats & LPD ignoring private flag) was also fixed within days of its detection.
Also the last 14 months have seen more active development and more feedback by the BitTorrent, Inc. then the 14 months before that by Ludde.
Don’t trust µTorrent (or any client for that matter) blindly. But they obviously don’t deserve the prejudice and distrust that some people are throwing around.
Another great bittorrent client is Deluge. There are versions for all operating systems. It has a built in browser through a proxy and it seems to have very good encryption. Anyone else using it?
Thanks for the info, also beware isohunt, they are heavily monitored by CRIAA , and since there servers are in Canada. Just watch out
i think BitLord is cool!
God Bless Azureus :D
anyone from norway here?or just any information. does the isp here monitor our downloads?do they redflag you if they monitor you downloading torrents?
@Critterish
I agree to not use IsoHunt, but only becasue mininova is better.
There servers are not tracked by any organisation, and file sharing (apart from for commercial purposes) is legal in Canada.
In regards to this issue, I have this tale to offer.
Recently, my uTorrent has been frozen when I wake up in the mornings. I have access to the Start menu, but PC won’t shut down. I end up having to manually soft-shutdown the PC and restart.
I implemented the lvlord 4226 patch and that seemed to take care of it for a bit, but it’s back. This morning, again I was having to manually shutdown/restart the PC.
Now, this issue in this article sounds suspiciously like my issue.
Im XP SP2 and I am using uTorrent 1.7.5.
Anyone else having these issues? I was gonna recover shortly, but I read this article and it seemed to fit my issue. Pls reply.
[quote comment="265785"]i think BitLord is cool![/quote]
BitLord, as I understand it is a clone of BitComet. I don’t use that client as it is banned by MANY trackers. You just won’t connect a lot of the time.
Pages: [1] 2 3 4 5 » Show All
Add your response