uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,
uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.
Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.
So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)
Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.
The bug in detail (from Luigi’s site):
By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.
In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).
When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.
If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.
For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
It can be downloaded here.
Previously: The Pirate Bay: Demonoid is Welcome in Sweden
Next: Director of ‘The Nines’ Talks to TorrentFreak About Piracy
121 Responses
Pages: « 1 2 [3] 4 5 » Show All
As much as I love uTorrent, I will NOT use any version past build 474 (v1.6), as that was the last version before Bittorrent.inc (& their MPAA buddies) bought Ludde out.
Make of my observation what you will…
Must have got hold of me more than once… Hogs resources until it crashes, while the up and down speeds are slow. Oh well.. I will continue to use u torrent! Just hope nothing more serious happens because of this. Announcing to the world about this problem really doesn’t help :/
Must have got hold of me more than once… Hogs resources until it crashes, while the up and down speeds are slow. Oh well.. I will continue to use u torrent! Just hope nothing more serious happens because of this. Announcing to the world about this problem really doesn’t help :/
Yeah, Wordpress sometimes glitches me out on my first-comment-of-the-day too; eh TF - is there a patch out for it or something? Maybe other sites have complained about this problem?
I love this site, by the way;
single best torrent/p2p news site online!
There is an exploit to execute code in conjunction with this.
Also What.cd will be banning all previous versions of uT within 48hours. Its a matter of protecting the swarms and forced updating is the only way, everyone is too paranoid to update if they have a choice.
[quote comment="266003"]As much as I love uTorrent, I will NOT use any version past build 474 (v1.6), as that was the last version before Bittorrent.inc (& their MPAA buddies) bought Ludde out.
Make of my observation what you will…[/quote]
I will take you up on that then.
You’re a braindead lemming. Provide REAL proof of your claims or take them elsewhere
http://torrenthelp.depthstrike.com/2007/07/utorrent-171-and-all-claims-about.html
how convenient, now everyone will be using the BITTORRENT INC utorrent client
[quote]As much as I love uTorrent, I will NOT use any version past build 474 (v1.6), as that was the last version before Bittorrent.inc (& their MPAA buddies) bought Ludde out.[/quote]
1.6.1-beta-build-483 is the last utorrent release prior to the transfer.
[quote comment="265725"]rTorrent can do everything uTorrent can, with even less resources, and has better webinterfaces.[/quote]
Everything… Except run on windows.
I think this exploit was being used already. When using a public torrent site for torrents, there were times when one by one, ALL my torrents (from both public and private sites) would “go red” with indicated tracker problems. However, since these were on several different trackers, I suspected something was up. This was just before Media Defender was exposed.
I would then reboot and change the listening port and all would be well for a short time (all going green)… and then soon all would go red again. I think a “bot” was using this exploit to crash (overload) uTorrent v 1.6.
If I only used torrents from private torrent sites… no problem. But using selected torrents from the public site would generate this condition repeatedly.
So, I stopped using public site torrents and don’t have this problem. If your client has all torrents (from different trackers) go red, try not using torrents from public sites.
[quote comment="265966"]not the peerid, friendly version name can be sent through extended messaging protocol[/quote]
Thanks for that, I was wondering how it was possible for this to not have caused serious problems earlier.
Assuming they are using azureus messaging, isn’t that spec just a little off the wall in allowing 4 bytes for the length indicator for the message type name?
A 2GB name for a message is complete overkill. Not to mention the fact that it’s signed, which means it’s perfectly valid to tell az or any other client that the name is negative 2GB long.
An unsigned 2 byte int would have been better. 65536 bytes is enough to easily cover any valid name.
fucking FINALLY, a good reason to upgrade. Now all the dumbasses who think uTorrent 1.7 “spies” on you and reports your activity to the RIAA can shut the fuck up.
DOS attacks are illegal but if someone like Media@ssDefenders use it to prevent p2p file-sharing which they view as illegal, no one will try to prosecute them.
However, if a cop does something like an illegal search on a known criminal, the case gets thrown out.
Unfair isn’t it?
If the law can’t punish illegal acts from these RI/MPAA dogs someone with more devastating methods will.
lol, and i was wondering why utorrent was updating today.
Torrent sucks anyway because trackers keep your ip’s…
µTorrent or Azureus or whatever, you can still be a target to make an example…
NewsGroups FTW and IRC FTW !!!
…Fuck the Rest…
[quote comment="266126"][quote comment="266003"]As much as I love uTorrent, I will NOT use any version past build 474 (v1.6), as that was the last version before Bittorrent.inc (& their MPAA buddies) bought Ludde out.
Make of my observation what you will…[/quote]
I will take you up on that then.
You’re a braindead lemming. Provide REAL proof of your claims or take them elsewhere
http://torrenthelp.depthstrike.com/2007/07/utorrent-171-and-all-claims-about.html/quote
Don’t get your panties in a bunch, numbnuts. That URL has fuck-all to do with what I posted. Did I suggest anywhere that I was worried about data-leakage? Erm… no.
If you’re suggesting that after v1.6 Ludde did NOT sell his tech to Bittorrent.inc then you’re actually even dumber than you originally appeared (& I had doubts that that was possible…)
HTH,
HAND,
kthxbai.
zeropaid forums:
Bit Torrent are now affiliated with the big players Warner Brothers for example, and they have signed an agreement to distribute digital content through the Bit Torrent client, what does this mean? basically that uTorrent will be that distribution client at some point in the future, and how long before we see adverts for movies within uTorrent!
I laugh at these uTorrent forum monkeys, always slurping each other & denying the truth. Here’s what Bram & Ludvig had to say on the matter (& posted to your very own fan-forum, DeadUnBright:
“This is Bram Cohen, the creator of the BitTorrent protocol, and Ludvig (Ludde) Strigeus, the writer of µTorrent. Together, we are pleased to announce that BitTorrent, Inc. and µTorrent AB have decided to join forces. BitTorrent has acquired µTorrent[...]”
From the horse’s mouth, folks.
Ludvig sold to Bram. Bram sold to Warner et al.
End of story.
Enjoy. ;D
Ludde, of course, does not owe me or any of us users anything. He provided us with a good, light, efficient torrent client that is probably the best one around. He’s always been very protective of his code, and that bothered me a little, but still, the program is terrific and I welcomed it and used it with no reservations.
The same goes for Bram Cohen. He created BitTorrent, a wonderful technology. Whereas I have absolutely nothing nasty to say about Ludde, I don’t feel the same way about Bram. In interviews, he always comes off as an extremely unpleasant, arrogant person, riding on his Asperger’s power trip pretending he’s such the boy whiz. I could forgive that if it were not for his dealings with this sad, abusive content industry we have to struggle with nowadays, be it regarding intellectual property maximalist agendas that do immense damage to consumers and the public good, be it regarding the absolutely crap content that they’ve been s****g out for a while.
Both Ludde and Bram do not owe me anything. Yet, I feel sad, betrayed, and disappointed in myself for being so naïve. For once believing they were siding with the good guys…that they were striving for something more important than money, that they believed in the power of the disruptive technologies they created to actually disrupt the old industrial forces in content production. I guess I have too much faith in people…
While I salute the initiative to pursue new business models, making a deal with the MPAA is certainly not the way to do it. There will be no innovation, just the same old business models transplanted to the Internet, with a few quirks here and there, backed up by strongly inequal IP laws, which in turn seek to sustain the artificial scarcity of digital content. I should have seen it coming as soon as Bram started arguing against net neutrality…
This is very, very sad, Ludde, this ruining of a beautiful thing. I hate to call anyone a sell out, but hey, you deserve it. I’m not going to name call Bram, since he’s beyond any help, but shame on you, Ludde. Hope you buy yourself something nice.
[quote comment="266264"]Ludde, of course, does not owe me or any of us users anything. He provided us with a good, light, efficient torrent client that is probably the best one around. He’s always been very protective of his code, and that bothered me a little, but still, the program is terrific and I welcomed it and used it with no reservations.
The same goes for Bram Cohen. He created BitTorrent, a wonderful technology. Whereas I have absolutely nothing nasty to say about Ludde, I don’t feel the same way about Bram. In interviews, he always comes off as an extremely unpleasant, arrogant person, riding on his Asperger’s power trip pretending he’s such the boy whiz. I could forgive that if it were not for his dealings with this sad, abusive content industry we have to struggle with nowadays, be it regarding intellectual property maximalist agendas that do immense damage to consumers and the public good, be it regarding the absolutely crap content that they’ve been s****g out for a while.
Both Ludde and Bram do not owe me anything. Yet, I feel sad, betrayed, and disappointed in myself for being so naïve. For once believing they were siding with the good guys…that they were striving for something more important than money, that they believed in the power of the disruptive technologies they created to actually disrupt the old industrial forces in content production. I guess I have too much faith in people…
While I salute the initiative to pursue new business models, making a deal with the MPAA is certainly not the way to do it. There will be no innovation, just the same old business models transplanted to the Internet, with a few quirks here and there, backed up by strongly inequal IP laws, which in turn seek to sustain the artificial scarcity of digital content. I should have seen it coming as soon as Bram started arguing against net neutrality…
This is very, very sad, Ludde, this ruining of a beautiful thing. I hate to call anyone a sell out, but hey, you deserve it. I’m not going to name call Bram, since he’s beyond any help, but shame on you, Ludde. Hope you buy yourself something nice.[/quote]
shut up faggot
back on topic.
RE: the code execution part.
One of our site coders did some testing and he can and has for sure crash and execute code under xp with version 1.6. He has not tested other versions yet.
Too all dip sh!ts out there that believe the government is watching your every move is ludicrous. As of today I did get a auto update from µTorrent to auto update to the latest version. I use it daily and never had any issues with this application. Please everyone take a hit from your bong and smile your not paying for this content losers. Just download and enjoy and seed seed seed.
USA The Smart Ones Don’t Have To Worry
[quote comment="266380"]Too all dip sh!ts out there that believe the government is watching your every move is ludicrous. As of today I did get a auto update from µTorrent to auto update to the latest version. I use it daily and never had any issues with this application. Please everyone take a hit from your bong and smile your not paying for this content losers. Just download and enjoy and seed seed seed.
USA The Smart Ones Don’t Have To Worry[/quote]
There’s something to it, dipsh!t. And the USA is the country with the fewest “Smart Ones” by percentage.
No go screw your AIDS infected whore and pretend yer OK.
[quote comment="266380"]USA The Smart Ones Don’t Have To Worry[/quote]
In fact, the USA’s privacy laws are really, really bad. I would rather say that living in the USA is a reason to worry ;)
But beside that, you’re right: There is no proof of uTorrent being evil. But why should I use a closed-source program (which is, thats a fact, owned by the movie industrie), if there are much better ones, more features with less usage of ressources (rTorrent)?
1 references to this post
Pages: « 1 2 [3] 4 5 » Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.