Zief Posted January 20, 2008 Report Share Posted January 20, 2008 So maybe edit it here http://update.utorrent.com/checkupdate.phpand in the first post? Link to comment Share on other sites More sharing options...
Rollo Posted January 20, 2008 Report Share Posted January 20, 2008 So, do we have a definitive answer regarding the vulnerability of the 1.6.x series? I agree that page one of this thread should be updated if 1.6.x is still OK. There are a lot of statements being made all over the place, mostly 2nd and 3rd hand information or worse. Regardless of what anyone says, I tend to believe what I read on page one of this thread, and it states that EVERYTHING prior to the 1.7.6 update is vulnerable. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 20, 2008 Report Share Posted January 20, 2008 There ARE exploits out there that 1.6.x is vulnerable to that are reportedly far more severe (remote code execution) than the one that is specifically fixed by 1.7.6 but this remote crash issue APPEARS to not be present. Link to comment Share on other sites More sharing options...
stefshady Posted January 20, 2008 Report Share Posted January 20, 2008 the crash is still there. mine just seizes or stops working i have to restart my laptop for it start again. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 20, 2008 Report Share Posted January 20, 2008 The crash will outright crash the client, not freeze it.Post a new thread in the troubleshooting section with a hijackthis log and process explorer injected dll list for the uTorrent process. Link to comment Share on other sites More sharing options...
Zief Posted January 20, 2008 Report Share Posted January 20, 2008 @DreadWingKnightIf you are talking about http://secunia.com/advisories/24130/ this is fixed in 1.6.1 489. I dont see any other exploit. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 20, 2008 Report Share Posted January 20, 2008 There may be other exploits that haven't been found yet that got fixed by accident.Additionally, the anti-p2p "bad block" ranges get blocked better by newer versions than they do by older ones. There are other bugs in 1.6.x that ARE fixed in 1.7.x and up as well.There's no reason whatsoever to stick with 1.6.x unless you have more tinfoil than brain right now. Link to comment Share on other sites More sharing options...
Zief Posted January 20, 2008 Report Share Posted January 20, 2008 There may be other exploits that haven't been found yet that got fixed by accident.ROTFL Better dont say anything more.There is reason to not go with new version, thats my problem, as well as many others. Just please *dont post false information*. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 20, 2008 Report Share Posted January 20, 2008 There is reason to not go with new version, thats my problemOk then what reason is that?If it's ANYTHING to do with MPAA involvement, I doubt you can back it up with proof. Link to comment Share on other sites More sharing options...
Zief Posted January 20, 2008 Report Share Posted January 20, 2008 This is not the point of this discussion. I have my reasons. Just dont tell lies... Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 20, 2008 Report Share Posted January 20, 2008 Ok, fine.Feel free to live with your head in the sand though. Link to comment Share on other sites More sharing options...
Firon Posted January 20, 2008 Author Report Share Posted January 20, 2008 1.6 is exploitable with much more than just malformed torrents. Very bad string handling.Besides, an issue like this is a stupid reason not to use the new version. You still use Windows, don't you? And all the other software that has security problems. Link to comment Share on other sites More sharing options...
Nostromov Posted January 20, 2008 Report Share Posted January 20, 2008 Yeah I don't see a reason to fuss, Zief... Thanks for the new version guys! Link to comment Share on other sites More sharing options...
system Posted January 20, 2008 Report Share Posted January 20, 2008 @jewelisheaven, 1.6.x does support extensions.Here's what happens if you send the extnsion bit in a handshake to 1.6.1.\0x13BitTorrent protocol\0x00\0x00\0x00\0x00\0x00\0x10\0x00\0x00Which means extensions are supported.Next we get this:\0x14\0x00d1:ei0e1:mde1:pi32489e1:v14:µTorrent 1.6.1eThat's the extended messaging client name, the same one that's causing trouble in the 1.7.x versions.What 1.6.x does not do is display the information it gets from that client name in the peers or logger pane, which probably explains why this bug does not affect 1.6.xApparently it suits certain people to have everyone believe that 1.6 is affected though. Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 20, 2008 Report Share Posted January 20, 2008 My apologies. I misunderstood what I was told and expanded it from there. Anyone with brains and logic who listens to opposing views on the subject... read through the abstract the coder made on his proof of concept program. I'm not surprised Unicode wasn't in prior to BitTorrent, Inc. involvement... ludde created and coded uT for almost 2 years (if you start the clock when he first worked on it in '04 instead of starting at the first public build (110 if I'm not mistaken)... that's one helluva job for a guy with a normal 9-to-5~!! Link to comment Share on other sites More sharing options...
Black_KeyT Posted January 20, 2008 Report Share Posted January 20, 2008 I just downloaded the new version today. I went to download a torrent and I received this message:C:/DOCU~1Name/LOCALS~1/TEMP\TORRENTNAME.torrent could not be opened, because the associated helper application does not exist. Change the association in your preferences.Everything was working fine before. Help? Link to comment Share on other sites More sharing options...
Firon Posted January 20, 2008 Author Report Share Posted January 20, 2008 1.6 can be exploited through the extended messaging protocol (but it is not the same exploit that is affecting 1.7.x) due to problems with the string library. It is not the same as the malformed torrent exploit. system, you of all people should know. One of your own staff has managed to do it with 1.6.As far as we know, 1.6.1 is not vulnerable to this exploit, or similar ones. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted January 20, 2008 Report Share Posted January 20, 2008 Black_KeyT: http://utorrent.com/faq.php#.C2.B5Torrent_won.27t_open_torrent_files_even_though_I_associated_torrents_with_it Link to comment Share on other sites More sharing options...
Ryan Norton Posted January 20, 2008 Report Share Posted January 20, 2008 ludde was one of the authors of the extension header, and it made its way in around 1.4 I think. However, even uTorrent itself has to hack around previous versions because they never consistently updated the extended client version string.All ancient history of course. This squabbling is all kind of silly, since none of the Bittorrent Inc. developers ever claimed (publicly, there was of course some mention on private IRC when we were testing versions) that 1.6 was vulnerable from this particular exploit.There is a moral to this story of course - never use strcpy on a buffer with a fixed length from a string with a non-fixed length. In fact, probably never using strcpy is a good idea as well. Link to comment Share on other sites More sharing options...
system Posted January 21, 2008 Report Share Posted January 21, 2008 1.6 can be exploited through the extended messaging protocol (but it is not the same exploit that is affecting 1.7.x) due to problems with the string library. It is not the same as the malformed torrent exploit. system, you of all people should know. One of your own staff has managed to do it with 1.6.As far as we know, 1.6.1 cannot through the same method.Assuming you mean staff from a certain tv site. What he did was run the code from milw0rm against 1.6There is only one piece of code for uT on milw0rm, and that's the malformed torrent code.Here's what he said later:Ok - so first off, apologies for the time it took to sort this one out - I ended up complicating matters because I re-used some old code.So 1.6.0 is not vulnerable to the latest exploit. It is however a good idea to ban because of the original exploit from last year - this is the injection into the announce URL.1.6.1 fixes that problem, and neither 1.6.0 or 1.6.1 will crash with the new exploit. Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 21, 2008 Report Share Posted January 21, 2008 System read http://forum.utorrent.com/viewtopic.php?pid=299919#p299919 and http://forum.utorrent.com/viewtopic.php?pid=299924#p299924 cross-posted for your consumption. Trying to hold out on an old deprecated (and possibly exploitable) line is not common-sense, wise, or logical. ANY tracker, if indeed you are an admin/support/mod @ BmTV I laugh at you for blindly either knee-jerk banning or un-banning then re-banning without verification. ALL responsible sites which purport to be in the public's best interest should do their own testing of clients, OR in the even they are too busy / preoccupied to do it themselves... allow a select group of users to use suspect clients. I.e. they test with admin knowledge and approval to VERIFY / CHECK claims as to whether or not the problems are true (when relating at all with tracker interaction)... if it's just peer communication, sure they have no responsibility to pass along any (mis)information, but then they're just being lazy. The enlarged cerebrum supposedly separates us from "animals"... the inability of most people critical to ANYTHING without independent thought proves otherwise.Edit: http://en.wikipedia.org/wiki/Burden_of_proof_(logical_fallacy) Link to comment Share on other sites More sharing options...
system Posted January 21, 2008 Report Share Posted January 21, 2008 jewelisheaven: For starters, I do my own testing. This is how I know that 1.6.x are not susceptible to the new exploit.When all the other sheeple were off banning, I was testing all versions from 1.6.0 to 1.7.5. Laugh all you want, but I do not do knee jerk. I do not have control of client bans at bm, but I do at other sites where I have not banned anything in a long time.If you want to run the same tests I have, the link to the c based exploit has been posted repeatedly, or I can supply a small php script I coded up for the occasion.Those links you posted do not show any proof at all the 1.6.1 is exploitable. They just link back to firon posting about something with no evidence. Here's the thing.( Firon ) tbh, I'd rather have people believe it affects it( Firon ) but yeah, if you really wanna know, 1.6.x isn't affected but the others are.Now, why on earth would I take the word of someone who wants everyone to believe there is a problem with 1.6.x when he says that, big suprise, there's a problem with 1.6.xThe only exploit findable with a google search for 1.6.x is the malformed torrent one for 1.6.0.This was fixed in 1.6.1 which is the version allowed on bm and other sites.Holding out against new bugs by the bucketload is not unwise when the old version has not been proven to be exploitable. If anything, 1.6.1 has one less remote exploit than any of the 1.7.0-1.7.5 versions. Link to comment Share on other sites More sharing options...
jewelisheaven Posted January 21, 2008 Report Share Posted January 21, 2008 OK then. I apologize if I was offensive. Thank you for posting your own independent tests. But please leave opinion out of it. An opinion is like an anus, everyone has one but do you really want to see everyone elses? Link to comment Share on other sites More sharing options...
Ryan Norton Posted January 21, 2008 Report Share Posted January 21, 2008 ... Link to comment Share on other sites More sharing options...
system Posted January 21, 2008 Report Share Posted January 21, 2008 There is no opinion there.Fact is 1.7.x can be crashed, 1.6.x can't and you can verify that yourself. The initial reports on What and other sites were based on someone using a known exploit on 1.6.0, which has been fixed in 1.6.1. From there, the 2 exploits got confused by a lot of admins leading to bans which is when I started trying to clear the FUD.What is pure opinion is listing 1.6.x as exploitable with the new exploit on the first page of the thread and in the changelog, or speculating as to how 1.6.1 may be insecure because you cannot verify it does not have a bug, ie "As far as we know, 1.6.1 cannot through the same method, but it doesn't rule out the possibility"As far as I know, 1.7.6 cannot blow up my monitor but I cannot rule out the possibility.Or, the opinion that I don't do testing and like to ban clients Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.