uTorrent apps vulnerable to remote code execution, information disclosure

News by Bradley Barth

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps.

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites.

According to various reports, San Francisco-based BitTorrent, Inc. last week made a fix available for the most recent beta release of its classic uTorrent desktop app for Windows. The updated version will be pushed out automatically in short order, but it is also currently available for users to download themselves. BitTorrent engineering VP Dave Rees also told Engadget that a separate patch was issued for uTorrent Web earlier this week. Rees further elaborated that BitTorrent's own Windows-based app was similarly impacted, but was subsequently repaired.

vulnerability report written by Ormandy explains that the problems pertain to the apps' Remote Procedure Call servers. "To be clear, visiting any [maliciously crafted] website is enough to compromise these applications," states Ormandy in the report..

In the case of uTorrentWeb, which uses a web interface and is controlled by a browser, Ormandy explains that the client's authentication secret is stored inside the webroot, "so you can just fetch the secret and gain complete control of the service... This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable."

A DNS rebinding attack uses JavaScript in a malicious Web page to hijack a victim's router. To further demonstrate his point, Ormandy included a working exploit for this attack.

Meanwhile, the uTorrent desktop app was found to allow malicious websites to enumerate and copy files that the user has downloaded, using a brute force technique. Ormandy discovered several other issues as well, including an inadequate pseudorandom number generator used to create create authentication tokens and cookies, session identifiers and pairing keys.

In an email to SC Media UK, Paul Bischoff, privacy advocate for Comparitech.com, commented: "Torrenters must learn quickly about how to spot and protect themselves from malware. Files downloaded through BitTorrent and BitTorrent tracker sites are both common avenues that hackers use to spread malware. Now, adding to their list of concerns is the software used to manage torrent downloads. 

"Google's Project Zero team took the proper precautions and privately disclosed a vulnerability in uTorrent to the torrent manager's developers 90 days before disclosing it publicly. That should have been more than enough time for the uTorrent team to patch all of its software across all platforms, so it's a shame to see that some uTorrent users are now exposed to a zero-day vulnerability."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews