Remote crash of uTorrent through webui

[bugtest]

I have found a strange problem in the webui, in short a long increasing Range parameter sent multiple times can crash uTorrent 1.7.6 and BitTorrent 6.0.1 due to the access to the end of a buffer.

I have not investigated more on the problem anyway the following proof-of-concept can replicate it:

...snip...

if the link doesn't work copy it in the browser's bar.

Tested also the 1.8 beta version with success on different computers.

[jewelisheaven]

Welcome back I'm sure the devs appreciate the trouble you go through and the attention-to-detail. Unfortunately I am getting some sort of redirect on that link... However when applying the same path as your previous POC it works (to let you know).

[bugtest]

don't click on the link but copy it in the browser and it will works, I have rechecked it just in this moment

[Ryan Norton]

Yeah, I got it.

We'd REALLY prefer it if you sent these to us directly though.

[Greg Hazel]

Found, fixed. 1.7.7 has this fix http://download.utorrent.com/1.7.7/utorrent-1.7.7.exe

You know, bugtest, you can email me at greg@bittorrent.com to report bugs directly.

[bugtest]

Thanx for the new quick version and sorry for the post, in future I will contact both of you directly for security related problems.

Anyway do you have details about the bug?

it seems something like a memory corruption but it's very strange moreover considering how to exploit it (increased Range values).

[jewelisheaven]

So yea, was my comment irrelevant to the task at hand.. Being no coder I'm interpreting this range exploit as relating to the HTTP Range requests http seeds utilize. I'd appreciate some other understanding especially since the other potential exploit mentioned for 1.7.7 also includes similar measures to lock-down the extension protocol ad infinitum.