uTorrent Client Affected by Some Pretty Severe Security Flaws (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

uTorrent Client Affected by Some Pretty Severe Security Flaws (bleepingcomputer.com)

Posted by msmash on Wednesday February 21, 2018 @06:00AM from the security-woes dept.

A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.

31 of 95 comments (clear)

Min score:

Reason:

Sort:

Who still uses it? by Anonymous Coward · 2018-02-21 06:06 · Score: 2, Insightful

i thought people stopped using it once it started showing advertisements?
1. Re:Who still uses it? by Anonymous Coward · 2018-02-21 06:23 · Score: 2, Insightful
  
  I still use the old v2.x uTorrent. The article doesn't state which versions are vulnerable, but I doubt mine is because it's from before they started piling on a bunch of worthless bloatware "features".
2. Re:Who still uses it? by nospam007 · 2018-02-21 06:34 · Score: 1
  
  "i thought people stopped using it once it started showing advertisements?"
  Just switch the ad-showing off in the settings like everybody else.
3. Re:Who still uses it? by DarkRookie · 2018-02-21 06:57 · Score: 1
  
  They put that setting in? It wasn't like that at first.
  
  --
  The millennial that doesn't like most of the stuff designed for millennials.
4. Re:Who still uses it? by SeaFox · 2018-02-21 07:27 · Score: 5, Funny
  
  Still shows up as the top downloaded BitTorrent client on CNET and Softpedia
  I thought people stopped using CNET once it started bundling adware?
5. Re:Who still uses it? by Falos · 2018-02-21 07:37 · Score: 1
  
  My understanding is the garbage started at v2.3 and that v2.2.1 is what you wanna stop at.
  And someone down below said it's fine. Predates the "feature" indeed.
6. Re:Who still uses it? by youngone · 2018-02-21 09:17 · Score: 2, Informative
  
  Or just switch one of the many better torrent clients available like everyone else.
7. Re:Who still uses it? by LunaticTippy · 2018-02-21 09:48 · Score: 1
  
  It's hidden in the advanced settings. You need to toggle several values and they aren't easy to identify. Search for it and it takes a minute of fiddling.
  
  --
  Man, you really need that seminar!
8. Re:Who still uses it? by muphin · 2018-02-21 10:35 · Score: 1
  
  i use it, you can disable the advertisements in the advanced settings.
  
  --
  It's not a typo if you understood the meaning!
Yet another "don't click shit" by TFlan91 · 2018-02-21 06:07 · Score: 1

"The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. "
Sys admins need an addon that just removes all links from a webpage. Know the URL you want or suffer.
Really classic uT doesn't seem to be vulnerable by Artem+S.+Tashkinov · 2018-02-21 06:24 · Score: 5, Informative

Just tested the sample exploits against uTorrent 2.2.1 build 25302 - none has worked.
1. Re:Really classic uT doesn't seem to be vulnerable by OverlordQ · 2018-02-21 06:28 · Score: 1
  
  All they did was add another token to break the original exploit, revised exploit still works.
  
  --
  Your hair look like poop, Bob! - Wanker.
2. Re:Really classic uT doesn't seem to be vulnerable by Artem+S.+Tashkinov · 2018-02-21 06:29 · Score: 2
  
  Another reporter is confirming my findings: very old uTorrent clients (3.0) are not susceptible to these attacks.
3. Re:Really classic uT doesn't seem to be vulnerable by Tokolosh · 2018-02-21 06:36 · Score: 2
  
  My build 25273:
  Trigger crash: nothing
  Pairing request: popup with request, can deny or accept. If denied, nothing
  PIN request: same as pairing request
  Device transfer: nothing
  Connected to PIA VPN, if that is relevant.
  
  --
  Prove anything by multiplying Huge Number times Tiny Number
4. Re:Really classic uT doesn't seem to be vulnerable by GameboyRMH · 2018-02-21 07:43 · Score: 1
  
  Heh, running on Wine huh? I'm stuck in the same boat with 2.2.1 due to a massive legacy collection. I've had 2 bungled attempts to migrate to Deluge using the uTorrent Import plugin, but I think the bugs have been worked out and the pitfalls have been found now and 3rd time will be the charm.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
5. Re:Really classic uT doesn't seem to be vulnerable by Anonymous Coward · 2018-02-21 10:00 · Score: 1
  
  I can confirm this with uTorrent 2.2.1 on Windows 7 Ultimate SP1 64-bit (on bare metal, not under Wine) -- none of the exploits in question affect it. The pairing/pinning/devxfer requests bring up confirmation dialogs to which you just pick "No" (and the dialog descriptions even tell you to pick "No" unless you explicitly have reason to otherwise).
  The more "web crap" BitTorrent began shoving into uTorrent, the worse it got. Let this be a lesson: older is better.
Google Project Zero internals by CustomSolvers2 · 2018-02-21 06:27 · Score: 1

Does anyone know how it works internally? I guess that, practically speaking, its main point is having a positive impact on how Google is perceived. I also guess that they are "motivated" to find as many big bugs as possible. But there are tons of possible targets out there and finding serious bugs requires a relevant effort. Any clue about their usual approach on this front? There isn't much available information and I am honestly curious.

--
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
1. Re:Google Project Zero internals by CustomSolvers2 · 2018-02-21 09:45 · Score: 1
  
  This seems like a quite good last post, at least for a while. I will be answering whatever reply, but not writing new posts. I might come back in some months, no idea. So long, Slashdot.
  
  --
  Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
What's the greater risk by pastafazou · 2018-02-21 06:28 · Score: 1

using uTorrent to download questionable files from unknown sources, or downloading the questionable files themselves?
1. Re:What's the greater risk by nospam007 · 2018-02-21 06:35 · Score: 1
  
  "using uTorrent to download questionable files from unknown sources, ..."
  That's sort of uTorrent's thing.
Transmission by Dwedit · 2018-02-21 06:42 · Score: 2

Makes me glad I switched to Transmission, no BS there, just a simple torrent client.
1. Re:Transmission by Walter+White · 2018-02-21 15:16 · Score: 1
  
  Has this vulnerability in Transmission been fixed? https://www.securityweek.com/c...
2. Re:Transmission by Curupira · 2018-02-21 22:55 · Score: 1
  
  Has this vulnerability in Transmission been fixed? https://www.securityweek.com/c...
  Throwing away the mod points I've used in this thread so I can answer you:
  Yes, it was.
3. Re:Transmission by Walter+White · 2018-02-26 10:10 · Score: 1
  
  Thanks (and apologies for the wasted points.) I did a quick search and found references to the vulnerability but none on a fix. Bad google foo I guess.
4. Re:Transmission by Curupira · 2018-02-27 05:45 · Score: 1
  
  No problem, I was glad to participate in this discussion. Vulnerabilities pop up and (sometimes) get fixed so fast it's hard to keep up.
Meh by DarkRookie · 2018-02-21 06:56 · Score: 1

I stopped using uTorrent around 1.8 or 2.0.
Whenever they decided to put ads in the client. Moved over to qBitTorrent.

--
The millennial that doesn't like most of the stuff designed for millennials.
qbitorrent ? by echostorm · 2018-02-21 06:59 · Score: 2

I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?
1. Re:qbitorrent ? by Anonymous Coward · 2018-02-21 07:34 · Score: 1
  
  utorrent has been shit since bittorrent (the company and 'inventor' of the protocol) bought it.
  and now with the push to a 'web' version.. that's just creepy, scary, and absolutely untrustworthy.
  use. something. else. made by someone else.
2. Re:qbitorrent ? by Voyager529 · 2018-02-21 08:41 · Score: 1
  
  I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?
  Or Transmission or Deluge or Vuze or Tixati or rTorrent/rutorrent...really basically anything is better, but uTorrent got in right when Azureus started trying to add bloat to reinvent itself and Transmission was still not available on Windows, and then once all the tutorials used it began to morph into the abomination it is now.
  Even so, version 2.2.1 is the 'completed' version that is sufficiently used that it's the google autocomplete for "utorrent", and according to another poster here, it isn't vulnerable to this attack.
Use qBittorrent by Jahoda · 2018-02-21 07:04 · Score: 4, Insightful

uBittorent was nerfed and winamped years ago. qBittorent has taken its place as lightweight, clean, and reliable.
1. Re:Use qBittorrent by nmb3000 · 2018-02-22 12:02 · Score: 1
  
  winamped
  I've never seen this verb before, but wow it sure says a lot in a single word. Very nice.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)