Successful exploit allows attacker to remotely execute arbitrary code

Aug 13, 2008 06:56 GMT  ·  By

Secunia has issued two advisories, SA31441 and SA31445, regarding a highly critical vulnerability that affects uTorrent versions 1.6, 1.7.x up to 1.8 RC6, as well as the BitTorrent mainline client 6.0 up to 6.0.3. Secunia rated this vulnerability as "Highly Critical" because it can allow an attacker to perform Denial of Service (DoS) attacks and remotely execute malicious code on the exploited system. The uTorrent users are urged to upgrade to the new uTorrent 1.8 Stable, but there is still no solution for people using the BitTorrent mainline client.

The vulnerability was discovered by Rhys Kidd, who posted his findings on the DailyDave mailing list of the Immunity security company. According to him, the uTorrent's code-base has been suffering from a Unicode stack overflow for the last two years and, with uTorrent being acquired by BitTorrent Inc., the affected code was also integrated into the BitTorrent mainline client.

The Secunia advisory notes that "the vulnerability is caused due to a boundary error in the processing of '.torrent' files". An attacker could exploit this by getting the users to open a .torrent file which contains a very long "created by" field. Mr. Kidd has explained in his paper that the stack overflow occurs when uTorrent calls the mscvrt.dll!wcscat() function. He has isolated the code responsible and presented a proof-of-concept exploit for it.

The uTorrent developer was aware of this vulnerability since before it was released to the public, as he silently patched it in the uTorrent 1.8 RC7. A lot of users were holding off upgrading until a final 1.8 release was made available, while others did not plan on upgrading at all because they were afraid that 1.8, the first version to be released after uTorrent was acquired by BitTorrent Inc., might contain tracking or monitoring software, or simply because they did not like the idea of using software owned by this company.

BitTorrent Inc. is the company founded by Bram Cohen, the creator of the BitTorrent protocol as well as of the original BitTorrent client. In late 2005, he signed an agreement with MPAA (Motion Picture Association of America) to remove all illegal content from the BitTorrent website and to conform with the Digital Millennium Copyright Act. This attracted a wave of negative reactions from the file sharing community at that time, just like uTorrent, the no. 1 bittorrent client in the world, being sold did.

BitTorrent Inc. bought uTorrent because of its huge user-base and because it's probably the most bloatware-free and optimized bittorrent client with a very small footprint. Its plans were to incorporate uTorrent code into the BitTorrent mainline client, while still keeping uTorrent a free project. Apparently, this also proved to make the BitTorrent client highly vulnerable and, while uTorrent users can upgrade to a patched version, there is still no solution for BitTorrent users except to keep away from untrusted .torrent files.

Photo Gallery (2 Images)

uTorrent 1.8 Stable
Created By .torrent Field
Open gallery