Jump to content

µTorrent 1.7.7 released


Firon

Recommended Posts

  • Replies 413
  • Created
  • Last Reply

Top Posters In This Topic

So, do we have a definitive answer regarding the vulnerability of the 1.6.x series? I agree that page one of this thread should be updated if 1.6.x is still OK. There are a lot of statements being made all over the place, mostly 2nd and 3rd hand information or worse. Regardless of what anyone says, I tend to believe what I read on page one of this thread, and it states that EVERYTHING prior to the 1.7.6 update is vulnerable.

Link to comment
Share on other sites

There may be other exploits that haven't been found yet that got fixed by accident.

Additionally, the anti-p2p "bad block" ranges get blocked better by newer versions than they do by older ones. There are other bugs in 1.6.x that ARE fixed in 1.7.x and up as well.

There's no reason whatsoever to stick with 1.6.x unless you have more tinfoil than brain right now.

Link to comment
Share on other sites

There may be other exploits that haven't been found yet that got fixed by accident.

ROTFL :D

Better dont say anything more.

There is reason to not go with new version, thats my problem, as well as many others. Just please *dont post false information*.

Link to comment
Share on other sites

1.6 is exploitable with much more than just malformed torrents. Very bad string handling.

Besides, an issue like this is a stupid reason not to use the new version. You still use Windows, don't you? And all the other software that has security problems.

Link to comment
Share on other sites

@jewelisheaven, 1.6.x does support extensions.

Here's what happens if you send the extnsion bit in a handshake to 1.6.1.

\0x13BitTorrent protocol\0x00\0x00\0x00\0x00\0x00\0x10\0x00\0x00

Which means extensions are supported.

Next we get this:

\0x14\0x00d1:ei0e1:mde1:pi32489e1:v14:µTorrent 1.6.1e

That's the extended messaging client name, the same one that's causing trouble in the 1.7.x versions.

What 1.6.x does not do is display the information it gets from that client name in the peers or logger pane, which probably explains why this bug does not affect 1.6.x

Apparently it suits certain people to have everyone believe that 1.6 is affected though.

Link to comment
Share on other sites

My apologies. I misunderstood what I was told and expanded it from there. Anyone with brains and logic who listens to opposing views on the subject... read through the abstract the coder made on his proof of concept program. I'm not surprised Unicode wasn't in prior to BitTorrent, Inc. involvement... ludde created and coded uT for almost 2 years (if you start the clock when he first worked on it in '04 instead of starting at the first public build (110 if I'm not mistaken)... that's one helluva job for a guy with a normal 9-to-5~!!

Link to comment
Share on other sites

I just downloaded the new version today. I went to download a torrent and I received this message:

C:/DOCU~1Name/LOCALS~1/TEMP\TORRENTNAME.torrent could not be opened, because the associated helper application does not exist. Change the association in your preferences.

Everything was working fine before. Help?

Link to comment
Share on other sites

1.6 can be exploited through the extended messaging protocol (but it is not the same exploit that is affecting 1.7.x) due to problems with the string library. It is not the same as the malformed torrent exploit. system, you of all people should know. One of your own staff has managed to do it with 1.6.

As far as we know, 1.6.1 is not vulnerable to this exploit, or similar ones.

Link to comment
Share on other sites

ludde was one of the authors of the extension header, and it made its way in around 1.4 I think. However, even uTorrent itself has to hack around previous versions because they never consistently updated the extended client version string.

All ancient history of course. This squabbling is all kind of silly, since none of the Bittorrent Inc. developers ever claimed (publicly, there was of course some mention on private IRC when we were testing versions) that 1.6 was vulnerable from this particular exploit.

There is a moral to this story of course - never use strcpy on a buffer with a fixed length from a string with a non-fixed length. In fact, probably never using strcpy is a good idea as well.

Link to comment
Share on other sites

1.6 can be exploited through the extended messaging protocol (but it is not the same exploit that is affecting 1.7.x) due to problems with the string library. It is not the same as the malformed torrent exploit. system, you of all people should know. One of your own staff has managed to do it with 1.6.

As far as we know, 1.6.1 cannot through the same method.

Assuming you mean staff from a certain tv site. What he did was run the code from milw0rm against 1.6

There is only one piece of code for uT on milw0rm, and that's the malformed torrent code.

Here's what he said later:

Ok - so first off, apologies for the time it took to sort this one out - I ended up complicating matters because I re-used some old code.

So 1.6.0 is not vulnerable to the latest exploit. It is however a good idea to ban because of the original exploit from last year - this is the injection into the announce URL.

1.6.1 fixes that problem, and neither 1.6.0 or 1.6.1 will crash with the new exploit.

Link to comment
Share on other sites

System read http://forum.utorrent.com/viewtopic.php?pid=299919#p299919 and http://forum.utorrent.com/viewtopic.php?pid=299924#p299924 cross-posted for your consumption. Trying to hold out on an old deprecated (and possibly exploitable) line is not common-sense, wise, or logical. ANY tracker, if indeed you are an admin/support/mod @ BmTV I laugh at you for blindly either knee-jerk banning or un-banning then re-banning without verification. ALL responsible sites which purport to be in the public's best interest should do their own testing of clients, OR in the even they are too busy / preoccupied to do it themselves... allow a select group of users to use suspect clients. I.e. they test with admin knowledge and approval to VERIFY / CHECK claims as to whether or not the problems are true (when relating at all with tracker interaction)... if it's just peer communication, sure they have no responsibility to pass along any (mis)information, but then they're just being lazy. The enlarged cerebrum supposedly separates us from "animals"... the inability of most people critical to ANYTHING without independent thought proves otherwise.

Edit: http://en.wikipedia.org/wiki/Burden_of_proof_(logical_fallacy)

Link to comment
Share on other sites

jewelisheaven:

For starters, I do my own testing. This is how I know that 1.6.x are not susceptible to the new exploit.

When all the other sheeple were off banning, I was testing all versions from 1.6.0 to 1.7.5. Laugh all you want, but I do not do knee jerk. I do not have control of client bans at bm, but I do at other sites where I have not banned anything in a long time.

If you want to run the same tests I have, the link to the c based exploit has been posted repeatedly, or I can supply a small php script I coded up for the occasion.

Those links you posted do not show any proof at all the 1.6.1 is exploitable. They just link back to firon posting about something with no evidence. Here's the thing.

( Firon ) tbh, I'd rather have people believe it affects it

( Firon ) but yeah, if you really wanna know, 1.6.x isn't affected but the others are.

Now, why on earth would I take the word of someone who wants everyone to believe there is a problem with 1.6.x when he says that, big suprise, there's a problem with 1.6.x

The only exploit findable with a google search for 1.6.x is the malformed torrent one for 1.6.0.

This was fixed in 1.6.1 which is the version allowed on bm and other sites.

Holding out against new bugs by the bucketload is not unwise when the old version has not been proven to be exploitable. If anything, 1.6.1 has one less remote exploit than any of the 1.7.0-1.7.5 versions.

Link to comment
Share on other sites

There is no opinion there.

Fact is 1.7.x can be crashed, 1.6.x can't and you can verify that yourself. The initial reports on What and other sites were based on someone using a known exploit on 1.6.0, which has been fixed in 1.6.1. From there, the 2 exploits got confused by a lot of admins leading to bans which is when I started trying to clear the FUD.

What is pure opinion is listing 1.6.x as exploitable with the new exploit on the first page of the thread and in the changelog, or speculating as to how 1.6.1 may be insecure because you cannot verify it does not have a bug, ie "As far as we know, 1.6.1 cannot through the same method, but it doesn't rule out the possibility"

As far as I know, 1.7.6 cannot blow up my monitor but I cannot rule out the possibility.

Or, the opinion that I don't do testing and like to ban clients :P

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...