Mailing List Archive

Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5
#######################################################################

Luigi Auriemma

Applications: BitTorrent and uTorrent
http://www.bittorrent.com
http://www.utorrent.com
Versions: BitTorrent <= 6.0 (build 5535)
uTorrent <= 1.7.5 (build 4602)
uTorrent <= 1.8-alpha-7834
Platforms: Windows confirmed
Mac and Linux (both available only on BitTorrent) have
not been tested
Bug: crash caused by unicode static buffer-overflow
Exploitation: remote
Date: 16 Jan 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BitTorrent and uTorrent are the most used clients for the bittorrent
protocol and are both built over the same code base derived by
uTorrent.


#######################################################################

======
2) Bug
======


By default both the clients have the "Detailed Info" window active with
the "General" section visible in it where are reported various
informations about the status of the torrent and the trackers in use.

In this same window near "General" there is also the "Peers" section
which is very useful since it showes many informations about the other
connected clients like the percentage of availability of the shared
torrent, their IP address, country, speed and amount of downloaded and
uploaded data and moreover the version of their client (like
"BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4"
and so on).

When this window is visualized by the user the unicode strings with the
software versions of the connected clients are copied in the relative
static buffers used for the visualization in the GUI through the
wcscpy function.

If this string is too long a crash will occur immediately or in some
cases (like on BitTorrent) could happen later or when the user watches
the status of another torrent or leaves the "Peers" window.
Code execution is not possible.

For exploiting the problem is enough that an external attacker connects
to the random port opened on the client and sends the long client
version and the SHA1 hash of the torrent currently in use and watched
on the target.
Note that all these parameters (client IP, port and torrent's hash) are
publicly available on the tracker.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ruttorrent.zip


#######################################################################

======
4) Fix
======


uTorrent 1.7.6 (build 7859) released the same day I reported the
vulnerability, great job!

Actually there are no info about when the new version or build of
BitTorrent will be released.


#######################################################################


---
Luigi Auriemma
http://aluigi.org