uTorrent apps found vulnerable to remote code execution, information disclosure
uTorrent apps found vulnerable to remote code execution, information disclosure

The developer of uTorrent for Windows and uTorrent Web has been scrambling to issue patched versions of the BitTorrent-based peer-to-peer fire-sharing apps after Google Project Zero researcher Tavis Ormandy found critical vulnerabilities that can result in remote code execution and information disclosure upon visiting malicious websites.

According to various reports, San Francisco-based BitTorrent, Inc. last week made a fix available for the most recent beta release of its classic uTorrent desktop app for Windows. The updated version will be pushed out automatically in short order, but it is also currently available for users to download themselves. BitTorrent engineering VP Dave Rees also told Engadget that a separate patch was issued for uTorrent Web earlier this week. Rees further elaborated that BitTorrent's own Windows-based app was similarly impacted, but was subsequently repaired.

A vulnerability report written by Ormandy explains that the problems pertain to the apps' Remote Procedure Call servers. "To be clear, visiting any [maliciously crafted] website is enough to compromise these applications," states Ormandy in the report..

In the case of uTorrentWeb, which uses a web interface and is controlled by a browser, Ormandy explains that the client's authentication secret is stored inside the webroot, "so you can just fetch the secret and gain complete control of the service... This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable."

A DNS rebinding attack uses JavaScript in a malicious Web page to hijack a victim's router. To further demonstrate his point, Ormandy included a working exploit for this attack.

Meanwhile, the uTorrent desktop app was found to allow malicious websites to enumerate and copy files that the user has downloaded, using a brute force technique. Ormandy discovered several other issues as well, including an inadequate pseudorandom number generator used to create create authentication tokens and cookies, session identifiers and pairing keys.