####################################################################### Luigi Auriemma Applications: BitTorrent and uTorrent http://www.bittorrent.com http://www.utorrent.com Versions: BitTorrent <= 6.0 (build 5535) uTorrent <= 1.7.5 (build 4602) uTorrent <= 1.8-alpha-7834 uTorrent 1.6.x NOT vulnerable Platforms: Windows confirmed Mac and Linux (both available only on BitTorrent) have not been tested Bug: unicode static buffer-overflow Exploitation: remote Date: 16 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== BitTorrent and uTorrent are the most used clients for the bittorrent protocol and are both built over the same code base derived by uTorrent. ####################################################################### ====== 2) Bug ====== By default both the clients have the "Detailed Info" window active with the "General" section visible in it where are reported various informations about the status of the torrent and the trackers in use. In this same window near "General" there is also the "Peers" section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like "BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4" and so on). When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function. If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the "Peers" window. UPDATE 25 Jan 2008 Secunia has performed additional tests on the vulnerability and has found that code execution is possible. For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched on the target. Note that all these parameters (client IP, port and torrent's hash) are publicly available on the tracker. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ruttorrent.zip ####################################################################### ====== 4) Fix ====== uTorrent 1.7.6 (build 7859) released the same day I reported the vulnerability, great job! UPDATE 25 Jan 2008 BitTorrent 6.0.1 released #######################################################################