Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Peers static overflow in BitTorrent 6.0 and uTorrent 1

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5
Date: Wed, 16 Jan 2008 19:47:28 +0100 

#######################################################################

                             Luigi Auriemma

Applications: BitTorrent and uTorrent
              http://www.bittorrent.com
              http://www.utorrent.com
Versions:     BitTorrent <= 6.0 (build 5535)
              uTorrent <= 1.7.5 (build 4602)
              uTorrent <= 1.8-alpha-7834
Platforms:    Windows confirmed
              Mac and Linux (both available only on BitTorrent) have
              not been tested
Bug:          crash caused by unicode static buffer-overflow
Exploitation: remote
Date:         16 Jan 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BitTorrent and uTorrent are the most used clients for the bittorrent
protocol and are both built over the same code base derived by
uTorrent.


#######################################################################

======
2) Bug
======


By default both the clients have the "Detailed Info" window active with
the "General" section visible in it where are reported various
informations about the status of the torrent and the trackers in use.

In this same window near "General" there is also the "Peers" section
which is very useful since it showes many informations about the other
connected clients like the percentage of availability of the shared
torrent, their IP address, country, speed and amount of downloaded and
uploaded data and moreover the version of their client (like
"BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4"
and so on).

When this window is visualized by the user the unicode strings with the
software versions of the connected clients are copied in the relative
static buffers used for the visualization in the GUI through the
wcscpy function.

If this string is too long a crash will occur immediately or in some
cases (like on BitTorrent) could happen later or when the user watches
the status of another torrent or leaves the "Peers" window.
Code execution is not possible.

For exploiting the problem is enough that an external attacker connects
to the random port opened on the client and sends the long client
version and the SHA1 hash of the torrent currently in use and watched
on the target.
Note that all these parameters (client IP, port and torrent's hash) are
publicly available on the tracker.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ruttorrent.zip


#######################################################################

======
4) Fix
======


uTorrent 1.7.6 (build 7859) released the same day I reported the
vulnerability, great job!

Actually there are no info about when the new version or build of
BitTorrent will be released.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Aria-Security.Net] Real Estate Web SQL Injection, no-reply
Next by Date:  mcGuestbook v1.2 Remote File Inc., gokhankaya
Previous by Thread:  [Aria-Security.Net] Real Estate Web SQL Injection, no-reply
Next by Thread:  Re: [Full-disclosure] Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5, Luigi Auriemma
Indexes:  [Date] [Thread] [Top] [All Lists]