Jump to content

Remote crash of uTorrent through webui


bugtest

Recommended Posts

Posted

I have found a strange problem in the webui, in short a long increasing Range parameter sent multiple times can crash uTorrent 1.7.6 and BitTorrent 6.0.1 due to the access to the end of a buffer.

I have not investigated more on the problem anyway the following proof-of-concept can replicate it:

...snip...

if the link doesn't work copy it in the browser's bar.

Tested also the 1.8 beta version with success on different computers.

Posted

Welcome back ;) I'm sure the devs appreciate the trouble you go through and the attention-to-detail. Unfortunately I am getting some sort of redirect on that link... However when applying the same path as your previous POC it works (to let you know).

Posted

Thanx for the new quick version and sorry for the post, in future I will contact both of you directly for security related problems.

Anyway do you have details about the bug?

it seems something like a memory corruption but it's very strange moreover considering how to exploit it (increased Range values).

Posted

So yea, was my comment irrelevant to the task at hand.. Being no coder I'm interpreting this range exploit as relating to the HTTP Range requests http seeds utilize. I'd appreciate some other understanding :) especially since the other potential exploit mentioned for 1.7.7 also includes similar measures to lock-down the extension protocol ad infinitum.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...