Google researcher Tavis Ormandy discovered several critical vulnerabilities in the classic and web-based versions of BitTorrent’s uTorrent application. Patches have been released, but it appears that not all flaws have been fixed properly.
Ormandy found that the uTorrent Classic and the uTorrent Web apps create an HTTP RPC server on ports 10000 and 19575, respectively. These RPC servers and some vulnerabilities allow remote attackers to take control of the apps with little user interaction.
In the case of uTorrent Web, which is accessed by users via their web browser, the application relies on a random token that is included in every request for authentication. The problem, according to Ormandy, is that the token can be easily obtained by an attacker from the web root folder and abused to take control of the service.
A malicious actor can exploit the flaw to change the torrent download folder and download a file to any writable location. For example, a hacker could change the download directory to the Startup folder in Windows and download an executable file, which would run on every startup.
Ormandy noted that the web root folder also contains other data – not just the authentication token – including settings, logs and crash dump files.
In the case of uTorrent Classic, the Google researcher discovered a vulnerability that allows a malicious website to obtain the targeted user’s download history.
The expert also noticed that the application disables the ASLR and GS exploit mitigations, and that the guest account does not disable some features – the app’s documentation says many features are disabled for security reasons.
Finally, Ormandy found a design flaw related to the use of the Mersenne Twister pseudorandom number generator (PRNG) for creating authentication tokens and cookies, session identifiers, and pairing keys.
The vulnerabilities were reported to BitTorrent on November 27 and they were made public on Tuesday. Ormandy released technical details and proof-of-concept (PoC) code for the more serious of the vulnerabilities he discovered.
The latest beta version of uTorrent Classic (3.5.3 build 44352) patches the flaws, but Ormandy noted that it still disables the ASLR mitigation. As for uTorrent Web, BitTorrent has attempted to implement a patch, but the Google Project Zero researcher said he had managed to bypass it.
SecurityWeek has reached out to BitTorrent for clarifications and will update this article if the company responds.
To read the original article: