bugtest Posted January 25, 2008 Report Posted January 25, 2008 I have found a strange problem in the webui, in short a long increasing Range parameter sent multiple times can crash uTorrent 1.7.6 and BitTorrent 6.0.1 due to the access to the end of a buffer.I have not investigated more on the problem anyway the following proof-of-concept can replicate it: ...snip...if the link doesn't work copy it in the browser's bar.Tested also the 1.8 beta version with success on different computers.
jewelisheaven Posted January 25, 2008 Report Posted January 25, 2008 Welcome back I'm sure the devs appreciate the trouble you go through and the attention-to-detail. Unfortunately I am getting some sort of redirect on that link... However when applying the same path as your previous POC it works (to let you know).
bugtest Posted January 25, 2008 Author Report Posted January 25, 2008 don't click on the link but copy it in the browser and it will works, I have rechecked it just in this moment
Ryan Norton Posted January 26, 2008 Report Posted January 26, 2008 Yeah, I got it.We'd REALLY prefer it if you sent these to us directly though.
Greg Hazel Posted January 26, 2008 Report Posted January 26, 2008 Found, fixed. 1.7.7 has this fix http://download.utorrent.com/1.7.7/utorrent-1.7.7.exeYou know, bugtest, you can email me at greg@bittorrent.com to report bugs directly.
bugtest Posted January 26, 2008 Author Report Posted January 26, 2008 Thanx for the new quick version and sorry for the post, in future I will contact both of you directly for security related problems.Anyway do you have details about the bug?it seems something like a memory corruption but it's very strange moreover considering how to exploit it (increased Range values).
jewelisheaven Posted January 26, 2008 Report Posted January 26, 2008 So yea, was my comment irrelevant to the task at hand.. Being no coder I'm interpreting this range exploit as relating to the HTTP Range requests http seeds utilize. I'd appreciate some other understanding especially since the other potential exploit mentioned for 1.7.7 also includes similar measures to lock-down the extension protocol ad infinitum.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.