Jump to content

Exploit in early versions?


megafonn

Recommended Posts

Posted

Some tracker sites announced there was an exploit in early version that allows an attacker to take control of the computer client installed on. They claim this was corrected by 1.7.6 and they will ban earlier versions.

Is it true that earlier versions had an exploit?

Posted

no wai?! On this tracker you're a member of did they only previously allow 1.6.1?

As you see in the changelog and talked about on here, 1.7.5 was patched for an exploit to remotely crash the uTorrent process. It was caused by a malformed clientid.

Posted

I understand there might be an exploit in all versions, but the thing is that why now? First there was a fury of "utorrent allegedly reporting personal info to xxxx organizations" and people were recommended to use 1.6.1 by tracker admins. now they are leaning towards 1.7.6. That is the behavior I don't understand...

Posted

honestly I don't trust tracker admins at all. they all ask for donations (in fact selling ratios or unlimited downloads) and never demonstrate where those money goes to...

Posted

I applaud sites which are finally upgrading, removing the need to try and support deprecated, OLD versions 1.6.1 build 490 was from February 16, 2007, and previously to that 1.6 build 474 was from July 2, 2006. Line 1.7 progressed from June until September 12, 2007 culminating with 1.7.5 build 4602. To suggest / enforce older versions without proper rebuttal to consistent replies from official resources is irresponsible. I am glad this remote crash has caused at least SOME of them to see the light.

Posted

Read "Line 1.7 progressed from June until September 12 11, 2007 culminating with 1.7.5 build 4602." as "Line 1.7 progressed from June until January 15, 2008 (hopefully) culminating with 1.7.6 build 7859." :P

Posted

Sigh... Some people just never learn, do they? :/ I wonder what those admins have against 1.7.6? Thing is, if you ask them, they're not likely to have a coherent intelligent answer to that question either. Darn FUD-spreaders and lazy morons... :mad:

Posted
Darn FUD-spreaders and lazy morons

Like those pesky admins listing 1.6.x as vulnerable to an overflow that only affects 1.7/1.8 versions so they can scare people into upgrading? Oh, you meant torrent site admins.

With regards to the original post, it was a lot of crossed wires (how these things usually start) whereby someone confused the new bug which affects 1.7.x and 1.8.x with an old bug that affects 1.6.0

1.6.1 is not affected by either.

As to the seriousness of the old bug, it requires a malformed torrent file with a specially crafted announce URL, which is exactly the thing that wont survive past any upload/download script that adds passkeys. The exploit cannot work on most private sites. It will also be caught very quickly on public sites due to the torrent file not working for anybody. As the news spreads, more sites should start undoing the bans they put in place.

Posted

1.6 can be exploited through the extended messaging protocol (but it is not the same exploit that is affecting 1.7.x) due to problems with the string library. It is not the same as the malformed torrent exploit. system, you of all people should know. One of your own staff has managed to do it with 1.6.

As far as we know, 1.6.1 cannot through the same method, but it doesn't rule out the possibility.

Posted

And thats true, thats what it should do. All is good. But information in changelog still is false.

Firon the same can be said about everything, also new 1.7.

Posted

The changelog is only updated on one of your download servers, leaving the old one being returned to ~50% of people reading it.

Edit: if you want to skip all the stuff below, just check http://download2.utorrent.com/1.7.6/utorrent-1.7.6.txt /edit

nslookup download.utorrent.com:

Non-authoritative answer:

Name: download.utorrent.com

Addresses: 72.20.34.146, 72.20.5.58

<?php

$sock=fsockopen('72.20.34.146',80);

if(!$sock) die('dead');

$i=0;

$headers[]='GET /1.7.6/utorrent-1.7.6.txt HTTP/1.1';

$headers[]='Host: download.utorrent.com';

$headers[]='Connection: close';

fputs($sock,join("\r\n",$headers)."\r\n\r\n");

while($line=fgets($sock,8192)){

$i++;

if($i>15) die();

echo $line;

}

?>

Gives:

HTTP/1.1 200 OK

Connection: close

Vary: Accept-Encoding

Content-Type: text/plain

Accept-Ranges: bytes

ETag: "-294234358"

Last-Modified: Sat, 19 Jan 2008 22:12:15 GMT

Content-Length: 28459

Date: Tue, 22 Jan 2008 09:59:07 GMT

Server: lighttpd/1.4.18

--- 2008-01-15: Version 1.7.6 (build 7859)

- Change: do not use adapter subnet to identify local peers

- Fix: double-clicking to open items in RSS releases tab

- Fix: remote crash bug (affects 1.7.x, and 1.8 builds released to date)

Changing that to 72.20.5.58 instead of 72.20.34.146 gives:

HTTP/1.1 200 OK

Connection: close

Vary: Accept-Encoding

Content-Type: text/plain

Accept-Ranges: bytes

ETag: "-1158150354"

Last-Modified: Tue, 15 Jan 2008 23:32:26 GMT

Content-Length: 28470

Date: Tue, 22 Jan 2008 10:00:22 GMT

Server: lighttpd/1.4.18

--- 2008-01-15: Version 1.7.6 (build 7859)

- Change: do not use adapter subnet to identify local peers

- Fix: double-clicking to open items in RSS releases tab

- Fix: remote crash bug (affects all 1.6.x, 1.7.x, and 1.8 builds released to date)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...