Malware, Network Security, Vulnerability Management

uTorrent apps found vulnerable to remote code execution, information disclosure

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites.

According to various reports, San Francisco-based BitTorrent, Inc. last week made a fix available for the most recent beta release of its classic uTorrent desktop app for Windows. The updated version will be pushed out automatically in short order, but it is also currently available for users to download themselves. BitTorrent engineering VP Dave Rees also told Engadget that a separate patch was issued for uTorrent Web earlier this week. Rees further elaborated that BitTorrent's own Windows-based app was similarly impacted, but was subsequently repaired.

A vulnerability report written by Ormandy explains that the problems pertain to the apps' Remote Procedure Call servers. "To be clear, visiting any [maliciously crafted] website is enough to compromise these applications," states Ormandy in the report..

In the case of uTorrentWeb, which uses a web interface and is controlled by a browser, Ormandy explains that the client's authentication secret is stored inside the webroot, "so you can just fetch the secret and gain complete control of the service... This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable."

A DNS rebinding attack uses JavaScript in a malicious Web page to hijack a victim's router. To further demonstrate his point, Ormandy included a working exploit for this attack.

Meanwhile, the uTorrent desktop app was found to allow malicious websites to enumerate and copy files that the user has downloaded, using a brute force technique. Ormandy discovered several other issues as well, including an inadequate pseudorandom number generator used to create create authentication tokens and cookies, session identifiers and pairing keys.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.