Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5

2008.01.21
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

####################################################################### Luigi Auriemma Applications: BitTorrent and uTorrent http://www.bittorrent.com http://www.utorrent.com Versions: BitTorrent <= 6.0 (build 5535) uTorrent <= 1.7.5 (build 4602) uTorrent <= 1.8-alpha-7834 Platforms: Windows confirmed Mac and Linux (both available only on BitTorrent) have not been tested Bug: crash caused by unicode static buffer-overflow Exploitation: remote Date: 16 Jan 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== BitTorrent and uTorrent are the most used clients for the bittorrent protocol and are both built over the same code base derived by uTorrent. ####################################################################### ====== 2) Bug ====== By default both the clients have the "Detailed Info" window active with the "General" section visible in it where are reported various informations about the status of the torrent and the trackers in use. In this same window near "General" there is also the "Peers" section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like "BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4" and so on). When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function. If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the "Peers" window. Code execution is not possible. For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched on the target. Note that all these parameters (client IP, port and torrent's hash) are publicly available on the tracker. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ruttorrent.zip ####################################################################### ====== 4) Fix ====== uTorrent 1.7.6 (build 7859) released the same day I reported the vulnerability, great job! Actually there are no info about when the new version or build of BitTorrent will be released. ####################################################################### --- Luigi Auriemma http://aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top