Remote crash of uTorrent/BitTorrent

[bugtest]

I have found a problem in the latest version of utorrent (and bittorrent too) which allows the crash of the program from remote (luckily doesn't seem possible worst effects other than the crash) , where I can report it?

[DreadWingKnight]

Right here

[bugtest]

Ok, the problem is in the name of the clients (like utorrent 1.7.5 or bitcomet or Bittorrent and so on) which is visualized in the Peers window.

The name is copied in the buffer of the GUI without checking its length so is possible that anyone from outside can connect to the utorrent/bittorrent TCP port using a long client's name and the program will crash if or when the user watches the Peers window.

I have also written a proof-of-concept for testing the bug.

[Ryan Norton]

I have also written a proof-of-concept for testing the bug.

Could you post it somewhere please?

[bugtest]

Sure, although I wanted to avoid to make it public on a forum, anyway the link is the following:

if the link doesn't work copy it in the browser's bar.

Using is trivial, you must specify the SHA1 hash of the torrent located on the utorrent/bittorrent you want to crash or just pass the name of the torrent file, then the host and the port of the target.

For example:

ruttorrent debian.torrent 127.0.0.1 6881

then go in the Peers window of that specific torrent you are sharing and your utorrent/bittorrent client will crash immediately or, in some cases, will crash later.

[Ryan Norton]

Thanks a lot for letting us know about this.

[bugtest]

so the next beta will contain the fix right?

and for BitTorrent, will the bug fixed there too?

[Ryan Norton]

I have to clear it with the product manager, but yeah it is already fixed in the 1.7 and 1.8 branches

[jewelisheaven]

.. He reported a crash of the 1.6 branch? Nice find.

[Firon]

Read better. Applies to all versions.

[Greg Hazel]

Thanks for the report! This is fixed in 1.7.6, upgrading is strongly recommended. http://download.utorrent.com/1.7.6/utorrent.exe

[jewelisheaven]

Since 1.7.6 includes all fixes up to current, is the changelog correct in the ONLY changes applicable to the 1.7 line? Or are all issues not specific to 1.8 interface/functionality considered "fixed" in this new build?

[Firon]

1.7.6 has the 4 changes mentioned. Nothing more, nothing less.

[jewelisheaven]

That's a shame. I was hoping the fixes alus helped me verify relating to peer lists and banning wouldn't have to wait for 1.8.

[Switeck]

As funny as this sounds, I kind of hope uTorrent v1.6 line is vulnerable to this...that will give various web tracker admins with their head in the sand reason to upgrade uTorrent or ban uTorrent altogether.

...Of course, we know which one they'll likely choose.

If they haven't banned BitComet, then following their same logic they need to read "BitComet is Evil" thread.

[jewelisheaven]

LOL, but that is a good thing. It will definitely divulge the nonsensical trackers/admins out there. Who instead of wishing their users to be protected, choose to have them use outdated/unsupported software... you think any of them offer support on how to use uT, ROFL. In any case I don't believe I ever suffered the crash bug due to unchecked clientids but I'm running 1.7.6 now (I miss the program information injected into the early builds of 1.8 :/ ) It was so tidy in process explorer, heh

[bugtest]

is it normal that the update function of utorrent 1.7.5 doesn't see the new version?

[jewelisheaven]

Firon will take care of it <poke poke> <prod>

[Firon]

It's set on the beta updater only. I'll put it on the regular updater today.

[Ultima]

The point being to open the build a bit slowly to the public in case there are any major problems from the fix.

[jewelisheaven]

... which would be what? If the only fixes are the 4 listed in the changelog there is no problem.

[Ultima]

Huh?

[Ryan Norton]

It didn't effect the 1.6 line.