uTorrent and Official BitTorrent Client Vulnerable to Remote DOS Attack
Written by enigmax on January 17, 2008Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,
uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.
Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.
So far, the problem appears to affect these clients:
- BitTorrent 6.0 (build 5535)
- uTorrent 1.7.5 (build 4602)
- uTorrent 1.8 (alpha 7834)
Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.
The bug in detail (from Luigi’s site):
By default both the clients have the “Detailed Info” window active with the “General” section visible in it where are reported various informations about the status of the torrent and the trackers in use.
In this same window near “General” there is also the “Peers” section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like “BitTorrent 6.0″, “Azureus 3.0.3.4″, “uTorrent 1.7.5″, “KTorrent 2.2.4″ and so on).
When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function.
If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the “Peers” window. Code execution is not possible.
For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched
on the target. Note that all these parameters (client IP, port and torrent’s hash) are
publicly available on the tracker.
The uTorrent team state the flaw affects all older uTorrent versions 1.6 and 1.7.x. too but have been quick to respond, releasing a new build - uTorrent 1.7.6 (build 7859) which has fixed the issue.
It can be downloaded here.
Previously: The Pirate Bay: Demonoid is Welcome in Sweden
Next: Director of ‘The Nines’ Talks to TorrentFreak About Piracy
122 Responses
Pages: « 1 2 3 [4] 5 » Show All
@68 MediaAttacker, these are hard words, and - i must admit - true, from the point of view of the internet community.
For Ludde, it is clear, that Brem can pay much more than the internet community. Why not stopped uTorrent and get a real good job in the industry? With uTorrent behind, this must be easy. I could live with v1.6.
Why not help to get the p2p protocol a real good one, and help to have a really good open source implementation?
[quote comment="266297"][quote comment="266264"]Ludde, of course, does not owe me or any of us users anything. He provided us with a good, light, efficient torrent client that is probably the best one around. He’s always been very protective of his code, and that bothered me a little, but still, the program is terrific and I welcomed it and used it with no reservations.
The same goes for Bram Cohen. He created BitTorrent, a wonderful technology. Whereas I have absolutely nothing nasty to say about Ludde, I don’t feel the same way about Bram. In interviews, he always comes off as an extremely unpleasant, arrogant person, riding on his Asperger’s power trip pretending he’s such the boy whiz. I could forgive that if it were not for his dealings with this sad, abusive content industry we have to struggle with nowadays, be it regarding intellectual property maximalist agendas that do immense damage to consumers and the public good, be it regarding the absolutely crap content that they’ve been s****g out for a while.
Both Ludde and Bram do not owe me anything. Yet, I feel sad, betrayed, and disappointed in myself for being so naïve. For once believing they were siding with the good guys…that they were striving for something more important than money, that they believed in the power of the disruptive technologies they created to actually disrupt the old industrial forces in content production. I guess I have too much faith in people…
While I salute the initiative to pursue new business models, making a deal with the MPAA is certainly not the way to do it. There will be no innovation, just the same old business models transplanted to the Internet, with a few quirks here and there, backed up by strongly inequal IP laws, which in turn seek to sustain the artificial scarcity of digital content. I should have seen it coming as soon as Bram started arguing against net neutrality…
This is very, very sad, Ludde, this ruining of a beautiful thing. I hate to call anyone a sell out, but hey, you deserve it. I’m not going to name call Bram, since he’s beyond any help, but shame on you, Ludde. Hope you buy yourself something nice.[/quote]
shut up faggot[/quote]
Wow! Your scathing riposte must have MediaAttacker bawling like a little baby!
either that, or laughing like a drain at your utter lack of clue.
Fucktard dolt…
perhaps it’s on principal…
why support a client that is owned by The Man…
I still take my warning with karspersky internet security 7 about that Dos thing.And this one is 1.7.6 utırrent.So they couldn’t fix it??
So everyone has to install 1.7.6 and that’s all
[quote comment="265808"]anyone from norway here?or just any information. does the isp here monitor our downloads?do they redflag you if they monitor you downloading torrents?[/quote]
No. Your isp do neither monitor nor track your behaviour on the web.
But they might, if they’d like to.
They dont care what you do as long as you pay their overcharged bills for the slowest bb on the northern hemisphere….
[quote comment="265892"]Any recommends on the best client for Ubuntu? About to make the switch and was recommend uTorrent with Wine.
(Currently have uT 1.6 w/ XPSP2)
And Azureus is a no! Wasted resources… etc. (although the Sudoku plugin was nice).[/quote]
Been using ktorrent for several months, it’s light on resources and similar to utorrent, with the added kick & ban like azureus.
I also use KTorrent and like it as it reminds me of uTorrent (i.e., the interface).
I highly suggest it for those that are using Linux.
Currently I am using KTorrent under Linux Mint 4.0 and have no issues with it.
I should point out that it has a built-in “plug-in” that can use the PeerGuardian list and it also supports encryption and it works well for me as I use Comcast as my ISP.
[quote comment="265740"]Conspiracy Theory 101
This is probably a ploy, whether true threat or not, to make you upgrade so they can moniter you even more with the newer version.
I use 1.6.x because it’s the last version released before uTorrent was purchased.
Whether my theory is correct or not. I smell something fishy and I won’t be upgrading my uTorrent.
Just my 2 cents.[/quote]
And mine. We have 4 cents now. If this keeps up, we’ll have a slurpee in no time..
rtorrent ftw.
From uTorrent developer “It didn’t effect the 1.6 line.”.
Source: http://forum.utorrent.com/viewtopic.php?pid=298736#p298736
I have now tried ruttorrent “exploit” on my µTorrent 1.6.1 (490), and no crash. It is NOT affected. Please edit article :)
[quote comment="266254"]
Don’t get your panties in a bunch, numbnuts. That URL has fuck-all to do with what I posted. Did I suggest anywhere that I was worried about data-leakage? Erm… no.
If you’re suggesting that after v1.6 Ludde did NOT sell his tech to Bittorrent.inc then you’re actually even dumber than you originally appeared (& I had doubts that that was possible…)
HTH,
HAND,
kthxbai.[/quote]
Ok, here’s the real counter then (two of the first three hits for “MPAA BitTorrent Deal” on google):
http://www.news.com/2100-1032_3-5967750.html
http://www.boingboing.net/2005/11/22/mpaa-bram-cohen-anno.html
There’s no more to the deal than anything that google has for its indexing system.
For users like you, I see too much tinfoil and not enough research.
[quote comment="266208"]Torrent sucks anyway because trackers keep your ip’s…
µTorrent or Azureus or whatever, you can still be a target to make an example…
NewsGroups FTW and IRC FTW !!!
…Fuck the Rest…[/quote]
Oh dear, yet another deluded smart-ass! Like IRC and usenet servers do NOT keep IPs. Get a clue, and dream on.
[quote comment="265985"]To: Superior1
Stubborn as a mule dumber then a rock
i have nothing more to say to you :)[/quote]
Actually, I’m a lot smarter than you ever will be.
I tried the proof of concept myself, and I can tell you that my uTorrent 1.6.1 is still running.
[quote comment="266262"]zeropaid forums:
Bit Torrent are now affiliated with the big players Warner Brothers for example, and they have signed an agreement to distribute digital content through the Bit Torrent client, what does this mean? basically that uTorrent will be that distribution client at some point in the future, and how long before we see adverts for movies within uTorrent![/quote]If that were to happen, users would switch clients immediately.
Also, on a sidenote;
[quote]Raiders wrote:
What’s the thrill of shutting uTorrent down on someone?[/quote]
Exactly. There is none. There are no systems to be taken over using this bug. And as for some TRUE statistics regarding this ‘problem’:
Being a co-admin of a 40000+ active members torrent community I can state that of the 79% in this community that are (still) using µTorrent 1.7.5, not one, I repeat: NOT 1 complaint about a freeze of crash of their client has been seen or reported yet. 3% has already updated (thanks to the autoupdate feature) to 1.7.6
This is all one big panic for (as far as I can see) an overhyped non-issue.
1.6.1 FTW
Found some info on uT/rt extended messaging and put something together in php.
1.7.x versions are definately crashable, 1.6.x are not as they do not display the version info sent in the extended messages.
Version info of 10,000 bytes in length seems to work well. At 20,000, 1.7.2 was complaining of invalid packet length.
Some info regarding 1.6.x being vulnerable to shellcode execution has been making the rounds of site admins, but that exploit is a seperate issue and relies on uploading a malicious torrent (POC on milw0rm). Sites that clean the uploaded torrents, or don’t allow public uploads should be fine allowing 1.6.x versions.
Utorrent has a fix…
Still on 1.6.1 but might upgrade if I notice a crash.
iuse 1.6
i’d like to send a big fuck-you to the TF crew. thanks for stirring the FUD pot, again. that makes two things you guys are good at.
(ec - the other being plagiarism)
Maybe People Will think before they take things these people post as valid news stories….
So, when do we see a retraction statement on the incorrect things in this news release? any honorable news source will fess up to their incorrect reporting…
build 490 is fine
build 489 is fine
build 488 is not fine
build 474 is fine
utorrent, a simple client for simple people.
Azureus FTW!
1 references to this post
Pages: « 1 2 3 [4] 5 » Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.