megafonn Posted January 20, 2008 Report Posted January 20, 2008 Some tracker sites announced there was an exploit in early version that allows an attacker to take control of the computer client installed on. They claim this was corrected by 1.7.6 and they will ban earlier versions. Is it true that earlier versions had an exploit?
jewelisheaven Posted January 20, 2008 Report Posted January 20, 2008 no wai?! On this tracker you're a member of did they only previously allow 1.6.1?As you see in the changelog and talked about on here, 1.7.5 was patched for an exploit to remotely crash the uTorrent process. It was caused by a malformed clientid.
DreadWingKnight Posted January 20, 2008 Report Posted January 20, 2008 Most older versions are vulnerable to exploits, both known and unknown, which is part of the reason why we don't support older versions.
megafonn Posted January 20, 2008 Author Report Posted January 20, 2008 I understand there might be an exploit in all versions, but the thing is that why now? First there was a fury of "utorrent allegedly reporting personal info to xxxx organizations" and people were recommended to use 1.6.1 by tracker admins. now they are leaning towards 1.7.6. That is the behavior I don't understand...
DreadWingKnight Posted January 20, 2008 Report Posted January 20, 2008 I understand it quite well, because they finally realised that uTorrent doesn't actually send any of the data that they claim it does.
megafonn Posted January 20, 2008 Author Report Posted January 20, 2008 honestly I don't trust tracker admins at all. they all ask for donations (in fact selling ratios or unlimited downloads) and never demonstrate where those money goes to...
jewelisheaven Posted January 20, 2008 Report Posted January 20, 2008 I applaud sites which are finally upgrading, removing the need to try and support deprecated, OLD versions 1.6.1 build 490 was from February 16, 2007, and previously to that 1.6 build 474 was from July 2, 2006. Line 1.7 progressed from June until September 12, 2007 culminating with 1.7.5 build 4602. To suggest / enforce older versions without proper rebuttal to consistent replies from official resources is irresponsible. I am glad this remote crash has caused at least SOME of them to see the light.
ajones81 Posted January 20, 2008 Report Posted January 20, 2008 Read "Line 1.7 progressed from June until September 12 11, 2007 culminating with 1.7.5 build 4602." as "Line 1.7 progressed from June until January 15, 2008 (hopefully) culminating with 1.7.6 build 7859."
osm0sis Posted January 20, 2008 Report Posted January 20, 2008 the worst is that these site admins are now saying that the peer view exploit is verified not to exist in 1.6.1 so they're still allowing it over 1.7.6
ajones81 Posted January 20, 2008 Report Posted January 20, 2008 Sigh... Some people just never learn, do they? :/ I wonder what those admins have against 1.7.6? Thing is, if you ask them, they're not likely to have a coherent intelligent answer to that question either. Darn FUD-spreaders and lazy morons... :mad:
jewelisheaven Posted January 20, 2008 Report Posted January 20, 2008 In either case, trackers which knee-jerk ban/unban clients don't deserve your time service or money.
system Posted January 20, 2008 Report Posted January 20, 2008 Darn FUD-spreaders and lazy moronsLike those pesky admins listing 1.6.x as vulnerable to an overflow that only affects 1.7/1.8 versions so they can scare people into upgrading? Oh, you meant torrent site admins.With regards to the original post, it was a lot of crossed wires (how these things usually start) whereby someone confused the new bug which affects 1.7.x and 1.8.x with an old bug that affects 1.6.01.6.1 is not affected by either.As to the seriousness of the old bug, it requires a malformed torrent file with a specially crafted announce URL, which is exactly the thing that wont survive past any upload/download script that adds passkeys. The exploit cannot work on most private sites. It will also be caught very quickly on public sites due to the torrent file not working for anybody. As the news spreads, more sites should start undoing the bans they put in place.
jewelisheaven Posted January 20, 2008 Report Posted January 20, 2008 As the news spreads people banning 1.7 should take up scientology and just kill themselves for Xenu. </rant>Edit: To include useful information. Ryan's reply is relevant here http://forum.utorrent.com/viewtopic.php?pid=299926#p299926
Firon Posted January 20, 2008 Report Posted January 20, 2008 1.6 can be exploited through the extended messaging protocol (but it is not the same exploit that is affecting 1.7.x) due to problems with the string library. It is not the same as the malformed torrent exploit. system, you of all people should know. One of your own staff has managed to do it with 1.6.As far as we know, 1.6.1 cannot through the same method, but it doesn't rule out the possibility.
osm0sis Posted January 21, 2008 Report Posted January 21, 2008 hmm just so people know, I'm told that "1.6.1 gets some funky characters with the PoC code, but does not crash."
Zief Posted January 21, 2008 Report Posted January 21, 2008 And thats true, thats what it should do. All is good. But information in changelog still is false.Firon the same can be said about everything, also new 1.7.
DreadWingKnight Posted January 21, 2008 Report Posted January 21, 2008 Here's the big difference:We don't support 1.6.x at all.
system Posted January 21, 2008 Report Posted January 21, 2008 You may not support 1.6.x, but spreading FUD about it?I thought all you uT fanboys hated FUD
Firon Posted January 21, 2008 Report Posted January 21, 2008 The changelog was already fixed like 2 days ago, and so was the auto updater.The only thing that wasn't fixed was the forum post, which is fixed now.
system Posted January 22, 2008 Report Posted January 22, 2008 The changelog is only updated on one of your download servers, leaving the old one being returned to ~50% of people reading it.Edit: if you want to skip all the stuff below, just check http://download2.utorrent.com/1.7.6/utorrent-1.7.6.txt /editnslookup download.utorrent.com:Non-authoritative answer:Name: download.utorrent.comAddresses: 72.20.34.146, 72.20.5.58<?php$sock=fsockopen('72.20.34.146',80);if(!$sock) die('dead');$i=0;$headers[]='GET /1.7.6/utorrent-1.7.6.txt HTTP/1.1';$headers[]='Host: download.utorrent.com';$headers[]='Connection: close';fputs($sock,join("\r\n",$headers)."\r\n\r\n");while($line=fgets($sock,8192)){ $i++; if($i>15) die(); echo $line;}?>Gives:HTTP/1.1 200 OKConnection: closeVary: Accept-EncodingContent-Type: text/plainAccept-Ranges: bytesETag: "-294234358"Last-Modified: Sat, 19 Jan 2008 22:12:15 GMTContent-Length: 28459Date: Tue, 22 Jan 2008 09:59:07 GMTServer: lighttpd/1.4.18--- 2008-01-15: Version 1.7.6 (build 7859)- Change: do not use adapter subnet to identify local peers- Fix: double-clicking to open items in RSS releases tab- Fix: remote crash bug (affects 1.7.x, and 1.8 builds released to date)Changing that to 72.20.5.58 instead of 72.20.34.146 gives:HTTP/1.1 200 OKConnection: closeVary: Accept-EncodingContent-Type: text/plainAccept-Ranges: bytesETag: "-1158150354"Last-Modified: Tue, 15 Jan 2008 23:32:26 GMTContent-Length: 28470Date: Tue, 22 Jan 2008 10:00:22 GMTServer: lighttpd/1.4.18--- 2008-01-15: Version 1.7.6 (build 7859)- Change: do not use adapter subnet to identify local peers- Fix: double-clicking to open items in RSS releases tab- Fix: remote crash bug (affects all 1.6.x, 1.7.x, and 1.8 builds released to date)
Firon Posted January 22, 2008 Report Posted January 22, 2008 Blah. I need to setup rsync instead of manually doing this.Fixed.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.